The 5 pillars of BSA – Why they are important for your AML program

Fortunately for BSA Officers, regardless of experience level, the Federal Financial Institution Examination Council (FFIEC) BSA Examination Manual provides guidance for you to build or restructure your AML program. However, copying and pasting the recommendations into your policies and procedures will not be enough to ensure a solid program. You must understand each of the pillars to manage accordingly and further still, educate those on the front line about the role they will play in bringing it to life.  You must also instill a strong culture of compliance at your institution to ensure long-term success. Let's look at the key takeaways for each of the five pillars:

Internal controls

Many factors make the internal control pillar critical to your AML program. Not only is this a required part of BSA compliance but controls also ensure things are running smoothly and you won't be caught off guard during a regulatory examination. Critical internal controls include: 

• Policies, procedures, and processes designed to mitigate and manage money laundering and terror financing  
• Providing timely updates in response to changes in regulations will keep your AML program aligned with regulatory expectations 
• Incorporating dual controls and the segregation of duties will ensure an essential second management layer  
• Tight management of technological and human resources will enable you to ensure that all AML responsibilities are met. Or, at the minimum, allow you to make your business case to senior management if resources are deficient
• Providing for program continuity despite changes in operations, management, or employee structure will ensure that no surprises occur from issues such as a pandemic or other natural disaster. 

Designation of a BSA Officer

The BSA Officer pillar seems intuitive; all successful programs must have a competent leader. A well sought-out appointment is critical. Remember these important key factors when appointing your BSA Officer:    

• The designated BSA Officer must be approved by the Board of Directors and recorded in meeting minutes 
• The BSA Officer must have the appropriate background and level of experience for the position. Promoting the head teller of the institution, no matter how great a staff member they may be, will probably not pass regulatory scrutiny
• The BSA Officer must have the necessary authority, independence, and access to resources to administer an adequate AML compliance program. Independence means that the reporting structure should be outside of the compliance area, and the BSA Officer should be the deciding decision maker with all matters relating to BSA. The title to this position is unimportant from a regulatory perspective, but the authority, independence, and access to resources are critical   

Periodic BSA training

Despite sounding straightforward, it is often not implemented properly and is a common examiner finding. Ongoing training is at the heart of a satisfactory AML compliance program. Be sure to take these steps to fulfill the BSA training requirements:    

• BSA training is not one size fits all. Training must be tailored to the roles and responsibilities of each employee. The front-line staff is your ultimate line of defense and must have detailed BSA training. However, lenders need to know what is relevant to their job functions, and the board of directors requires high-level training to cover their fiduciary duties 
• BSA training must be conducted at least annually and more often if you experience deficiencies in implementing policies and procedures. An effective AML program cannot be achieved without all team members having the necessary knowledge
• Document training modules and dates for every staff member, including the board of directors. If one stubborn executive misses training, you will receive regulatory criticism. Remember to stress a culture of compliance if you run into this situation 

Independent testing

This term is used interchangeably with an audit function and is designed to assess a financial institution's compliance with AML requirements and the overall adequacy of the AML compliance program. An audit before an exam gives you the ability to shore up any gaps in your program before a regulatory exam. Takeaways from this pillar include: 

• Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties 
• The audit must be conducted by those with sufficient knowledge and experience with AML compliance
• Audits should consider the entire AML program, including AML and OFAC monitoring technical resources. Periodic model validations will also be required to ensure AML software is working as intended and that all critical data sources are feeding into each model identified 

Ongoing customer due diligence (CDD)

The cornerstone of a robust AML compliance program is adopting and implementing risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD is to understand the nature and purpose of customer relationships, which may include understanding the types of transactions in which a customer is likely to engage. These processes assist financial institutions in determining when transactions are potentially suspicious. Below are important factors to assess when developing your CDD program: 

• Each CDD program should begin with a Customer Identification Program (CIP) outlined in the USA PATRIOT Act  
• CDD should be risk-focused. Not all customers in a higher risk category have equal risk within an institution. Rely on your institution's unique risk assessment to determine how much due diligence is required for each customer type
• As part of CDD, financial institutions must identify and verify beneficial owners of legal entities with an ownership interest of 25% or more. Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer. Each legal entity customer must identify one beneficial owner under the control prong
• It's worth noting that the Anti-Money Laundering Act of 2020 has required FinCEN to analyze any changes needed to the CDD legislation once FinCEN establishes the beneficial ownership registry. Keep your eyes open for updates on CDD and beneficial ownership changes