Bank Secrecy Act |
EXPANDED EXAMINATION OVERVIEW AND PROCEDURES FOR AN ENTERPRISE-WIDE COMPLIANCE PROGRAMAND OTHER STRUCTURES
Enterprise-Wide BSA/AML Compliance
Program —Overview
Objective. Assess the organization’s enterprise-wide program for BSA/AML compliance through the holding company or lead financial institution.138
Similar to the approach to consolidated credit, market, and operational risk, effective control of BSA/AML risk may call for coordinated risk management. An enterprise-wide BSA/AML compliance program coordinates the specific regulatory requirements throughout an organization inside a larger risk management framework. Such frameworks seek a consolidated understanding of the organization’s risk exposure to money laundering and terrorist financing across all activities, business lines, or legal entities. For example, the holding company or lead financial institution may have a centralized function to evaluate BSA/AML risk; this may include the ability to understand world-wide exposure to a given customer, particularly those considered high-risk or suspicious, consistent with applicable laws.139
Many organizations, typically those that are larger or more complex and that may include international operations, implement an enterprise-wide BSA/AML compliance program that manages risks in an integrated fashion across affiliates, business lines, and risk types (e.g., reputation, compliance, or transaction). Aggregating risks on an enterprise-wide basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within or across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. Such programs manage risk at both operational and strategic levels.
While there are currently no regulatory requirements for holding companies or lead financial institutions to adopt an enterprise-wide BSA/AML compliance program, many organizations view this as an effective tool in managing the BSA/AML risks associated with failure to comply with BSA laws and regulations, or the corresponding laws in foreign jurisdictions in which they operate. A sound practice for complex organizations is to establish corporate standards for BSA/AML compliance that reflect the expectations of the organization’s board of directors. Senior management should ensure that these standards are implemented across the organization through effective programs tailored to the activities, business lines, or legal entities. This allows the holding company or lead financial institution to demonstrate to its board of directors that it has effective BSA/AML compliance programs in place across the consolidated organization. Each program should reflect the organization’s business structure and be tailored to its size, complexity, and legal requirements that may vary due to the specific business line or host country jurisdiction.140
The enterprise-wide program should include a central point where BSA/AML risks throughout the organization are aggregated. Structurally, the point of consolidation could be established at either the level of the holding company or the lead financial institution. Therefore, organizations that implement an enterprise-wide program should assess risk both individually within business lines and on a consolidated basis across all activities and legal entities. Enterprise-wide systems that operate on a global basis need to consider the various jurisdictions in which they operate as well as the AML laws and requirements they are subject to, and then incorporate these into their overall compliance program. Internal audit should assess the level of compliance with the enterprise-wide BSA/AML compliance program.
Examiners should be aware that some complex, diversified banking organizations may have various subsidiaries that hold different types of licenses and banking charters or may organize business activities and BSA/AML compliance program components across their legal entities. For instance, a highly diversified banking organization may consolidate all its funds transfer functions in a national bank subsidiary, while centralizing its audit function at the holding company. This arrangement may present a challenge to the examiner reviewing a legal entity within the organization, as it may be difficult to evaluate that entity’s BSA/AML compliance.
Subsidiaries, Affiliates, and Business Lines
A holding company or a lead financial institution may decide to implement an enterprise-wide BSA/AML compliance program, either comprehensively or for specific business functions (e.g., audit or suspicious activity monitoring systems). Where business specific functions are so managed, examiners must identify during an examination or inspection, which portions of the BSA/AML compliance program are part of the enterprise-wide program. This information is critical when scoping and planning a BSA/AML examination.
When evaluating the enterprise-wide BSA/AML compliance program for adequacy, the examiner should determine reporting lines and how each subsidiary fits into the overall enterprise-wide compliance structure. This should include an assessment of how clearly roles and responsibilities are communicated across the organization. The examiner should assess how effectively the holding company or lead financial institution monitors the compliance throughout the organization with the enterprise-wide BSA/AML compliance program, including how well the enterprise-wide system captures relevant data from the subsidiaries.
The evaluation of the enterprise-wide BSA/AML compliance program should take into consideration available information about the adequacy of the individual subsidiaries’ BSA/AML compliance program. Regardless of the decision to implement an enterprise-wide BSA/AML compliance program in whole, or in part, the program should ensure that all affiliates meet their applicable regulatory requirements. For example, an audit program implemented solely on an enterprise-wide basis that does not conduct transaction testing at all subsidiaries subject to the BSA would not be sufficient to meet regulatory requirements for independent testing for those subsidiaries.
Holding Company or Lead Financial Institution
Holding companies or lead financial institutions that centrally manage the operations and functions of their subsidiary banks, other subsidiaries, and business lines should ensure that comprehensive risk management policies, procedures, and processes are in place across the organization to address the entire organization’s spectrum of risk. An adequate holding company or lead financial institution enterprise-wide BSA/AML compliance program provides the framework for all subsidiaries, business lines, and foreign branches to meet their specific regulatory requirements (e.g., country or industry requirements). Accordingly, organizations that centrally manage an enterprise-wide BSA/AML compliance program should among other things provide appropriate structure; advise the business lines, subsidiaries, and foreign branches on the development of appropriate guidelines; and set risk limits consistent with their domestic and international activities. For additional guidance, refer to the expanded overview section, "Foreign Branches and Offices of U.S. Banks," page 156.
Organizations that implement an enterprise-wide BSA/AML compliance program should assess risk on a consolidated basis across all activities, business lines, and legal entities. Once the organization appropriately assesses its risk on an enterprise-wide basis, this process should be ongoing. Business line subsidiaries and foreign branches should provide periodic updates to the risk assessment process to the central point within the holding company or lead financial institution. The risk assessment should serve as the basis for the development of risk-based policies, procedures, and processes within the activities, business lines, and legal entities. Subsidiary entities should advise the holding company or lead financial institution on the development of risk-based policies, procedures, and processes. After the policies, procedures, and processes are complete, they should be approved by the holding company or lead financial institution. Increasingly, organizations use software or programming solutions to assist in the implementation of the BSA/AML compliance program; these solutions typically include, but are not limited to, monitoring, identifying, and reporting suspicious activity.
Suspicious Activity Reporting
A bank holding company (BHC) or any non-bank subsidiary thereof, or a foreign bank that is subject to the BHC Act or any non-bank subsidiary of such a foreign bank operating in the United States, is required to file a Suspicious Activity Report (SAR) (12 CFR 225.4(f)).141 Certain savings and loan holding companies, and their non-depository subsidiaries, are required to file SARs pursuant to Treasury regulations (e.g., insurance companies (31 CFR 103.16) and broker/dealers (31 CFR 103.19). In addition, savings and loan holding companies, if not required, are strongly encouraged to file SARs in appropriate circumstances.
Interagency guidance clarifies that banking organizations may share SARs with head offices and controlling companies, whether located in the United States or abroad.142 The guidance does not address whether a banking organization may share a SAR with an affiliate other than a controlling company or head office. Therefore, banking organizations should not share SARs with such affiliates. However, in order to manage risks across the organization, banks may disclose to entities within their organization the underlying information supporting a SAR filing. Refer to the core overview section, "Suspicious Activity Reporting," page 60, for additional guidance.
