Updates to the manual used to guide examinations of banks’ and credit unions’ compliance with Bank Secrecy Act/anti-money laundering (BSA/AML) requirements – to promote transparency but setting no new requirements – were released Wednesday by federal and state financial institution regulators through the umbrella Federal Financial Institutions Examination Council (FFIEC).
The updates, the agencies said, provide instructions to examiners for “risk-focusing” BSA/AML examinations and assessing an institution’s BSA/AML compliance program. Revisions were made by the Federal Reserve Board, Federal Deposit Insurance Corp. (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and State Liaison Committee (made up of state supervisory agencies) “in close collaboration” with the Treasury Financial Crimes Enforcement Network (FinCEN), the agencies said.
“Many of the revisions are designed to emphasize and enhance the Agencies’ risk-focused approach to BSA/AML supervision,” the agencies said in a joint statement. “For example, revisions to the updated sections emphasize the need for examiners to evaluate a bank’s BSA/AML compliance program based on its risk profile for money laundering, terrorist financing, and other illicit financial activities.”
Revisions were made throughout the updated sections to ensure that language clearly distinguishes between mandatory regulatory requirements and supervisory expectations set forth in guidance, they said. The revisions also incorporate regulatory changes since the last update of the manual in 2014.
Significant revisions include:
- Risk-focused BSA/AML supervision: The manual provides instructions to examiners for tailoring BSA/AML examinations to a bank’s risk profile, including examination and testing procedures, and conducting risk-focused testing or analytical reviews.
- Assessing the BSA/AML compliance program: The manual provides instructions to examiners for assessing the adequacy of a bank’s BSA/AML compliance program and constitutes a minimum set of procedures for full scope BSA/AML examinations. It separates internal controls, independent testing, BSA compliance officer, and training into individual sections.
- BSA/AML risk assessment: The manual provides instructions to examiners for assessing the adequacy of a bank’s BSA/AML risk assessment processes, including: (i) the identification of specific risk categories (e.g., products, services, customers, and geographic locations) unique to the bank, and (ii) an analysis of the information identified to better assess risk within these categories. The manual says there is no particular method or format a bank must use for the risk assessment and that risk categories can vary based on a bank’s size, complexity, or organizational structure. It also says there is no requirement for risk assessment updates on a continuous or specified periodic basis, “but these updates may occur as necessary to align the risk assessment with a significant change in a bank’s risk profile.”
- Developing conclusions and finalizing the exam – The manual reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, and minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program.
“The agencies are aware of the uncertainty faced by financial institutions during this unprecedented time,” the regulators said through an FFIEC release announcing the changes. “The manual update, which supports tailored examination work, has been in process for an extended period and should not be interpreted as new instructions or as a new or increased focus.”
The agencies said updates to other sections of the manual will be announced as they are completed.