Pub. 6 2015 Issue 2

www.wvbankers.org 20 West Virginia Banker T he regulatory overhaul since the economic crisis has created a huge compliance burden for banks to implement. However, adopting subtle changes in regulatory policy can be just as challenging. The latter appears to be the case in the 2014 update release of the Bank Secrecy Act/Anti-Money Launder- ing (BSA/AML) Examination Manual (Manual). The 440-plus page manual contains an overview of BSA compli- ance program requirements, risk and risk management expectations, sound industry practices and examination procedures. The manual is receiving heightened attention as examiners are in the process of visiting banks for their 2015 reviews. Although the guide is a consolidation of existing policies already communicated to the industry, a bank's exam that comes after the release of a new manual is usu- ally where a standard or requirement is first enforced. Below are highlights of key changes included in this update: Suspicious Activity Reporting The biggest change noted in the updated manual deals with suspicious activity reporting and monitoring. It established new guidance on controls over banks’ BSA monitoring systems. Specifically, bank policies and procedures should clearly document the authority to “establish or change expected activity profiles” used to detect unusual activity. In addition, controls should ensure limited access to the monitoring systems and access priv- ileges in the system must be appropriate under the circumstances. Furthermore, any changes should require the review and approval of the BSA compliance officer as well as senior management. The manual also added a requirement that management tests the “filtering criteria” in the monitoring system. Previously management only had to “review” the criteria, now it has to “review and test.” Management, however, should still be able to “document and explain” the models in the system. Finally, an “independent validation” of the system’s “programming methodology and effectiveness” to ensure that the models are detecting potentially suspicious activity has always been re- quired. Now the scope of the independent validation has been expanded to “verify” the surveillance monitoring policies/pro- cedures and management’s compliance with such policies. BSA systems’ filtering criteria, parameters, rules and programming methodology are By Joseph W. Hager, CPA, CGMA Small Changes to BSA Manual Could Have Large Compliance Implications all considered part of the models used to detect potentially suspicious activity. Therefore, the April 4, 2011, Supervisory Guidance on Model Risk Management (issued by the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency) with its requirement on model documentation and validation also applies. The manual also included certain me- chanical changes. For example, an activity necessitating a Suspicious Activity Report had previously required a subsequent report 90 days later if the activity contin- ued. The update extended that period to 120 days. Customer Due Diligence In relation to Customer Due Diligence (CDD), the manual added a footnote refer- ence to FIN-2010-G001, 2010 “Guidance on Obtaining and Retaining Beneficial Ownership Information” issued in May 2010. The guidance consolidated existing regulatory expectations for obtaining ben- eficial ownership information for certain accounts and customer relationships. The guidance retained risk based CDD, which may include identifying and verifying beneficial owners. The guidance also retained private banking account benefi- cial ownership verification requirements. Note that an ownership threshold was not specified. However, FinCEN’s Notice of Proposed Rulemaking (August 4, 2014), “Customer Due Diligence Requirements for Financial Institutions,” does specify a threshold of 25%. Office of Foreign Assets Control The manual added OFAC’s “encour- age[ment]” for banks to take a risk-based approach when implementing their OFAC programs. One item to note is that the revised manual excluded OFAC’s “Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property Are Blocked” (August 13, 2014). This revised guidance aggregates ownership interests of Specially Designated Nation- als (SDNs) in an entity. If the aggregate direct or indirect ownership of SDNs in an entity reaches 50% or more, then the entity becomes blocked (known as a “shadow” or “deemed” SDN). In other words, if blocked persons own directly or indirectly 50% or more of an entity, then that entity itself becomes blocked. Thus, financial institutions are