Minus the footnotes:
Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision
July 22, 2019
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency (collectively, the federal banking agencies), and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) are issuing this joint statement to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act1/anti-money laundering (BSA/AML) compliance programs. This statement is being issued as part of a broader effort to reinforce and enhance the effectiveness and efficiency of the BSA/AML regime.2 This statement is intended to improve transparency into the risk- focused approach used for planning and performing BSA/AML examinations and does not establish new requirements. Further, this statement aligns with the federal banking agencies’ long-standing practices for risk-focused safety and soundness examinations.3
Under existing statutory requirements, specifically section 8(s) of the Federal Deposit Insurance Act and section 206 of the Federal Credit Union Act, the federal banking agencies have prescribed regulations requiring each bank4 to establish and maintain procedures reasonably designed to assure and monitor compliance with the requirements of the BSA (collectively, these procedures form the basis of each bank’s “BSA/AML compliance program”).5 In addition, pursuant to these statutes, the federal banking agencies review banks’ BSA/AML compliance programs during each examination cycle.6
BSA/AML Compliance Programs and Risk Profiles
To assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA, banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity. A risk-based compliance program enables a bank to allocate compliance resources commensurate with its risk. A bank’s well- developed risk assessment is a critical part of sound risk management and assists examiners in
understanding the bank’s risk profile. Banks determine the levels and types of risks that they will assume.7 Banks that operate in compliance with applicable law, properly manage customer relationships and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services.8 As the federal banking agencies have previously stated, banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.9
Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks. The federal banking agencies and FinCEN recognize that banks vary in focus10 and complexity, and that these differences create for each bank a unique risk profile. Accordingly, the scope of BSA/AML examinations varies by bank.
The federal banking agencies conduct risk-focused BSA/AML examinations, and tailor examination plans and procedures based on the risk profile of each bank. Common practices for assessing the bank’s risk profile include:
• leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank,
• contacting banks between examinations or prior to finalizing the scope of an examination, and
• considering the bank’s ability to identify, measure, monitor and control risks.
The information gained from assessing the bank’s risk profile assists examiners in scoping and planning the examination and initially evaluating the adequacy of the BSA/AML compliance program. The federal banking agencies generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas. For example, the pre-examination request list is tailored to the bank’s risk profile, complexity, and planned examination scope. Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.The risk-focused approach reflected in this statement forms the foundation for the information, instructions, and procedures communicated to examiners through the Federal Financial Institutions Examination Council BSA/AML Examination Manual.11
Risk-focused BSA/AML examinations consider a bank’s unique risk profile. Examiners use risk assessments and independent testing when planning and conducting examinations. Examiners assess the adequacy of a bank’s BSA/AML compliance program during each examination cycle. The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk management processes to identify, measure, monitor, and control risks, and to report potential money laundering, terrorist financing, and other illicit financial activity.