Guidelines for Monitoring
Bank Secrecy Act Compliance
The Federal Deposit Insurance Corporation (FDIC) recently
revised its May 18, 1987, guidelines for monitoring Bank Secrecy
Act (BSA) compliance. These new guidelines are attached.
On May 18, 1987, the FDIC issued a policy statement entitled
"Guidelines for Monitoring Bank Secrecy Act Compliance." The
guidelines included the steps that banks should take to comply
with Section 326.8 of the FDIC's Rules and Regulations, which
governs procedures within the bank to ensure compliance with
Treasury Department rules, as well as a copy of the FDIC's
BSA compliance examination procedures. While the 1987 policy
statement will be rescinded, the guidelines have been updated.
The FDIC recently adopted revised BSA examination procedures
developed by an interagency working group, which are included
in the attached revised guidelines.
In addition to the new BSA examination procedures, the revised
guidelines include further instructions on independent testing,
training, and designating an individual or individuals to
be responsible for coordinating and monitoring compliance
with the Bank Secrecy Act, as well as a brief section on "Know
Your Customer" policies.
The FDIC's compliance requirements are separate from the
substantive reporting and recordkeeping requirements of the
Bank Secrecy Act and 31 C.F.R. 103. Banks must have an effective
compliance program that not only meets the minimum requirements
of the FDIC's rule, but addresses the specific circumstances
of each banking office. For example, banks operating from
numerous locations and banks with offices in border areas
or in areas where money laundering or drug trafficking is
prevalent must have in place extensive controls, plans and
procedures beyond the minimum regulatory requirements.
The true test of any compliance program's effectiveness
is its ability to prevent violations. If examiners find numerous
or serious violations of the Treasury Department's regulations,
the bank's compliance program will likely be judged inadequate,
and violations of Section 326.8 will be cited.
The independent testing requirement contained in Section
326.8 demands the use of examination procedures by auditors,
outside parties or employees who are independent of the currency
transaction reporting function. The FDIC's examination procedures
may be used as a model for developing such procedures within
the banking organization. It is essential that the scope of
any testing procedures as well as the results of those procedures
be thoroughly documented. In most cases, this will involve
retaining workpapers from internal and/or external audits
of BSA compliance. Procedures that are not adequately documented
will not be accepted as being in compliance with the independent
Repeated violations of Section 326.8 may result in a cease
and desist order against the bank by the FDIC. Failure to
comply with such an order may result in the assessment of
civil money penalties. The FDIC reports to the Treasury Department
all BSA violations discovered during each examination. Those
violations are reviewed by Treasury for possible civil money
Beginning February 19, 1996, the FDIC's Division of Supervision
officially assumed full responsibility for BSA examinations
from the Division of Compliance and Consumer Affairs. Questions
regarding the attached guidelines, or the examination procedures
incorporated within the guidelines, should be addressed to
your Division of Supervision Regional Office.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
GUIDELINES FOR MONITORING BANK SECRECY ACT COMPLIANCE
Section 326.8 of the FDIC's Rules and Regulations requires
banks to develop and administer a program to assure compliance
with the Bank Secrecy Act (BSA) and 31 C. F. R. 103. The compliance
program must be in writing, approved by the bank's board of
directors and noted in the minutes.
Section 326.8(c) sets out four minimum requirements of the
compliance program. To meet the minimum requirements, a bank's
compliance program should include:
A system of internal controls. At a minimum, the
system must be designed to:
Identify reportable transactions at a point where
all of the information necessary to properly complete
the required reporting forms can be obtained. The bank
might accomplish this by sufficiently training tellers
and personnel in other departments or by referring large
currency transactions to a designated teller. If all
pertinent information cannot be obtained from the customer,
the bank should consider declining the transaction.
Ensure that all required reports are completed accurately
and properly filed. Banks should consider centralizing
the review and report-filing functions within the banking
Ensure that customer exemptions are properly granted
and recorded. The compliance officer or other designated
officer should review and initial all exemptions prior
to granting them.
Provide for adequate supervision of employees who
accept currency transactions, complete reports, grant
exemptions or engage in any other activity covered by
31 C. F. R. 103.
Establish dual controls and provide for separation
of duties. Employees who complete the reporting forms
should not be responsible for filing them or for granting
Independent testing for compliance with the BSA and
31 C. F. R. 103. The independent testing should be conducted
at least annually, preferably by the internal audit department,
outside auditors, or consultants. Banks that do not employ
outside auditors or consultants or that do not operate internal
audit departments can comply with this requirement by utilizing
for testing employees who are not involved in the currency
transaction reporting function.
The compliance testing should include, at a minimum:
A test of the bank's internal procedures for monitoring
compliance with the BSA, including interviews of employees
who handle cash transactions and their supervisors.
A sampling of large currency transactions followed
by a review of CTR filings.
A test of the validity and reasonableness of the customer
exemptions granted by the bank.
A test of the bank's recordkeeping system for compliance
with the BSA.
Documentation of the scope of the testing procedures
performed and the findings of the testing. Any apparent
violations, exceptions or other problems noted during
the testing procedures should be promptly reported to
the board of directors or appropriate committee thereof.
It is essential that the scope of any testing procedures,
and the results of those procedures, be thoroughly documented.
In most cases, this will involve retention of workpapers
from internal and/or external audits of BSA compliance.
Procedures that are not adequately documented will not
be accepted as being in compliance with the independent
The designation of an individual or individuals to
be responsible for coordinating and monitoring compliance
with the Bank Secrecy Act. To meet the minimum requirement,
each bank must designate a senior bank official to be responsible
for overall BSA compliance. Other individuals in each office,
department or regional headquarters should be given the
responsibility for day-to-day compliance. The title of the
individual responsible for overall BSA compliance is not
important; however, the level of authority and responsibility
within the institution is. The senior bank official in charge
of BSA compliance should be in a position, and have the
authority, to make and enforce policies. A "BSA Officer"
who reports to a senior official would not be sufficient
to meet the requirements unless the senior official is officially
designated as the officer in charge of overall BSA compliance.
Training for appropriate personnel. At a minimum,
the bank's training program must provide training of all
personnel whose duties may require knowledge of the BSA,
including, but not limited to, tellers, new accounts personnel,
lending personnel, bookkeeping personnel, wire room personnel,
In addition, an overview of the BSA requirements should
be given to new employees and efforts should be made to
keep executives informed of changes and new developments
in BSA regulation.
Depending on the bank's needs, training materials can
be purchased from banking associations, trade groups or
outside vendors, or they can be developed by the bank.
Copies of the training materials must be available in
the bank for review by examiners.
An effective "Know Your Customer" policy also is essential
to compliance with the BSA and may aid in preventing the
financial institution from becoming a conduit for a money
laundering scheme. A "know your customer" policy consists
of procedures that require proper identification of every
customer at the time an account is opened in order to
prevent establishment of fictitious accounts. The primary
objective of such a policy is to enable the financial
institution to predict, with relative certainty, the types
of transactions the customer is likely to be engaged in.
Internal systems should then be developed for monitoring
transactions which are inconsistent with each customer's
"transaction profile". In addition, the bank's employee
education program should provide examples of customer
behavior or activity which may warrant investigation.