Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision

Issued July 22, 2019; and revised July 24, 2019

3-1873.5

Introduction

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency (collectively, “the federal banking agencies”), and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) are issuing this joint statement to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act¹/anti-money laundering (BSA/AML) compliance programs. This statement is being issued as part of a broader effort to reinforce and enhance the effectiveness and efficiency of the BSA/AML regime.² This statement is intended to improve transparency into the risk-focused approach used for planning and performing BSA/AML examinations and does not establish new requirements. Further, this statement aligns with the federal banking agencies’ long-standing practices for risk-focused safety and soundness examinations.³

Under existing statutory requirements, specifically section 8(s) of the Federal Deposit Insurance Act and section 206 of the Federal Credit Union Act, the federal banking agencies have prescribed regulations requiring each bank⁴ to establish and maintain procedures reasonably designed to assure and monitor compliance with the requirements of the BSA (collectively, these procedures form the basis of each bank’s “BSA/AML compliance program”).⁵ In addition, pursuant to these statutes, the federal banking agencies review banks’ BSA/AML compliance programs during each examination cycle.⁶

BSA/AML Compliance Programs and Risk Profiles

To assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA, banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity. A risk-based compliance program enables a bank to allocate compliance resources commensurate with its risk. A bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile. Banks determine the levels and types of risks that they will assume.⁷ Banks that operate in compliance with applicable law, properly manage customer relationships, and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services.⁸ As the federal banking agencies have previously stated, banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.⁹

Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations. Examiners review risk-management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks. The federal banking agencies and FinCEN recognize that banks vary in focus¹⁰ and complexity, and that these differences create for each bank a unique risk profile. Accordingly, the scope of BSA/AML examinations varies by bank.

Risk-Focused Examinations

The federal banking agencies conduct risk-focused BSA/AML examinations, and tailor examination plans and procedures based on the risk profile of each bank. Common practices for assessing the bank’s risk profile include:

leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank,
contacting banks between examinations or prior to finalizing the scope of an examination, and
considering the bank’s ability to identify, measure, monitor, and control risks.

The information gained from assessing the bank’s risk profile assists examiners in scoping and planning the examination and initially evaluating the adequacy of the BSA/AML compliance program. The federal banking agencies generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas. For example, the pre-examination request list is tailored to the bank’s risk profile, complexity, and planned examination scope. Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.

The risk-focused approach reflected in this statement forms the foundation for the information, instructions, and procedures communicated to examiners through the Federal Financial Institutions Examination Council BSA/AML Examination Manual.¹¹

Conclusion

Risk-focused BSA/AML examinations consider a bank’s unique risk profile. Examiners use risk assessments and independent testing when planning and conducting examinations. Examiners assess the adequacy of a bank’s BSA/AML compliance program during each examination cycle. The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk-management processes to identify, measure, monitor, and control risks, and to report potential money laundering, terrorist financing, and other illicit financial activity.

Interagency statement of July 22, 2019 (SR-19-11).

As stated in 31 U.S.C. 5311, the purpose of the BSA is to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.

See, for example, the October 3, 2018, Interagency Statement on Sharing Bank Secrecy Act Resources [at 3-1874] and the December 3, 2018, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing, issued by the federal banking agencies and FinCEN.

See, for example, the November 27, 2018, Federal Financial Institutions Examination Council press release emphasizing risk-focused supervision at https://www.ffiec.gov/press/pr112718.htm.

⁴

Under the BSA the term “bank” is defined in 31 CFR 1010.100(d) and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks.

⁵

12 U.S.C. 1818(s); 12 U.S.C. 1786(q).

⁶

12 U.S.C. 1818(s)(2); 12 U.S.C. 1786(q)(2).

⁷

Bank directors provide guidance regarding acceptable risk exposure levels and corresponding policies while management implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.

⁸

This statement does not create additional requirements or supervisory expectations for banks.

⁹

However, banks must still comply with the BSA including 31 CFR 1020.210(b)(5) [at 3-1710.6].

¹⁰

For example, a bank with a localized community focus likely has a stable, known customer base.

¹¹

See the Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual (Manual) at https://bsaaml.ffiec.gov/manual. This statement emphasizes the risk-focused approach to BSA/AML supervision that is based on the BSA/AML laws and regulations, and has long been embedded in the Manual.