TABLE OF CONTENTS

DATE:	November 30, 2007
MEMORANDUM TO:	Sandra L. Thompson, Director
	Division of Supervision and Consumer Protection
FROM:	Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
	Assistant Inspector General for Audits
SUBJECT:	FDIC’s Implementation of the USA PATRIOT Act (Report No. AUD-08-003)

This report presents the results of the subject FDIC Office of Inspector General (OIG) audit. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (PATRIOT Act)¹ was signed into law on October 26, 2001, as a response to the September 11, 2001 terrorist attacks. Title III of the PATRIOT Act—International Money Laundering² Abatement and Financial Anti-Terrorism Act of 2001³—is intended to facilitate the prevention, detection, and prosecution of international money laundering and terrorist financing and consists of provisions related to (1) international counter- money laundering and related measures, (2) Bank Secrecy Act⁴ (BSA) amendments and related improvements that supplement U.S. authority provided under the BSA to detect money laundering, and (3) currency crimes and protection. The FDIC’s Division of Supervision and Consumer Protection (DSC) monitors FDIC-supervised financial institutions’ compliance with the PATRIOT Act Title III requirements.

The audit objectives were to determine whether (1) examination procedures are designed to evaluate institution compliance with the anti-money laundering (AML) and terrorist financing provisions of the PATRIOT Act and (2) those procedures were fully and consistently implemented to provide reasonable assurance that institutions with weak programs for detecting money laundering and terrorist financing activity will be identified and appropriate corrective measures taken. We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix I of this report discusses our objectives, scope, and methodology in detail.

BACKGROUND

Emphasis on AML efforts, in general, and the international fight against money laundering and terrorist financing, in particular, has risen significantly since the September 11, 2001 terrorist attacks. The PATRIOT Act made a number of amendments to the AML provisions of the BSA, also known as the Currency and Foreign Transactions Reporting Act. Congress passed the BSA to (1) prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity and (2) help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions.

The BSA authorizes the Department of the Treasury (Treasury) to require financial institutions to establish BSA/AML compliance programs;⁵ file certain reports that are used in criminal, tax, or regulatory investigations or proceedings; and keep certain records of transactions. The BSA’s implementing regulation⁶ is used to aid law enforcement agencies in the investigation of suspected criminal activity such as illegal drug activities, income tax evasion, and money laundering by organized crime. The PATRIOT Act expanded the Treasury’s authority to regulate the activities of U.S. financial institutions, especially their relations with entities and individuals with foreign ties, and increased the focus on terrorist financing activities. The Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury, is the delegated administrator of the BSA. FinCEN issues regulations and interpretive guidance, provides outreach to regulated industries, and supports the examination function of the Federal Banking Agencies (FBA),⁷ and pursues civil enforcement actions, when warranted.

Examination Procedures Related to AML and Terrorist Financing Provisions of the PATRIOT Act

Although overall authority for BSA enforcement and compliance remains with the Treasury, its regulations delegate authority to the FBAs, including the FDIC, to examine financial institutions for compliance. In addition, Section 8(s) of the Federal Deposit Insurance (FDI) Act,⁸ provides the FDIC authority to examine and enforce compliance at FDIC-supervised financial institutions. Since the PATRIOT Act amended the BSA, each BSA/AML examination also encompasses a review of financial institutions’ compliance with PATRIOT Act requirements.⁹ In June 2005, the FFIEC issued interagency guidance in the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual or examination manual) to provide examination procedures related to BSA, AML, PATRIOT Act, and Office of Foreign Assets Control (OFAC)¹⁰ compliance. The FFIEC members revised the FFIEC BSA/AML Examination Manual in July 2006¹¹ to update examination procedures related to BSA/AML and PATRIOT Act compliance. Table 1 outlines the specific sections of the PATRIOT Act for which the FDIC and other FBAs have issued examination guidance.

Table 1: Status of Examination Procedures for PATRIOT Act Provisions

Appendix II provides additional information on the status of regulations and examination procedures for PATRIOT Act sections.

Supervisory and Enforcement Guidance Related to the Identification and Correction of BSA/AML Compliance Program Deficiencies

Noncompliance with BSA/AML and PATRIOT Act requirements could expose financial institutions to actions from the FDIC and other FBAs, Treasury, and/or Department of Justice.

Specifically, the FDIC can impose supervisory and/or enforcement actions and has issued guidance to its examiners that outlines its authority to impose such actions. For example, in October 2006, the FDIC issued a Regional Directors (RD) memorandum entitled, Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements. The memorandum provides specific guidance to assist examiners in determining when to recommend C&Ds for noncompliance with BSA/AML and PATRIOT Act requirements. In addition, on July 19, 2007, the Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Interagency Statement) was issued by the FBAs, establishing the agencies’ policy on circumstances in which an agency will issue a C&D to address noncompliance with certain BSA/AML requirements. The FDIC transmitted the Interagency Statement to the institutions it supervises on August 23, 2007. In accordance with Section 8(s) of the FDI Act, the FDIC is authorized to issue a C&D if an institution has failed to establish and maintain a BSA compliance program or has failed to correct any previously reported problem with the program.

The FDIC has imposed actions to correct noncompliance with BSA and PATRIOT Act provisions, as indicated in Table 2. In addition, in compliance with an information-sharing Memorandum of Understanding¹² (MOU) between FinCEN and the FBAs, the FDIC has referred certain financial institutions to FinCEN for consideration of civil money penalties (CMP) for noncompliance with BSA provisions.

Customer Identification Programs

Of the five BSA/AML compliance program pillars (see footnote 5), only the requirement for financial institutions to implement a Customer Identification Program (CIP) directly resulted from enactment of the PATRIOT Act. Specifically, Section 326 of the PATRIOT Act, which is implemented through Treasury regulations 31 C.F.R. Part 103.121 and Section 326.8 of the FDIC’s Rules and Regulations, requires banks to implement a written, board-approved CIP that is appropriate for the institution’s size and type of business. The CIP must include (1) account-opening¹³ procedures that specify the identifying information that will be obtained from each customer,¹⁴ and (2) reasonable and practical risk-based procedures for verifying the identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank; the various methods of opening accounts provided by the bank; the various types of identifying information available; and the bank’s size, location, and customer base. The FFIEC BSA/AML Examination Manual identifies an objective for examiners to assess a bank’s compliance with the statutory and regulatory requirements for a CIP. Appendix III provides additional information on the requirements related to CIPs.

Risk Assessments

Various sections of the PATRIOT Act, such as those addressing CIPs, correspondent accounts,¹⁵ and concentration accounts,¹⁶ address the linkage between risk and the establishment of appropriate controls within the BSA/AML compliance programs of financial institutions. These risks include terrorist financing, money laundering, and other criminal activity. One means by which institutions can gain an understanding of these risks is through development of a BSA/AML risk assessment. BSA/AML risk assessments are not specifically required by statute or regulation, but are set forth in the FFIEC BSA/AML Examination Manual as a good business practice for institutions to use in developing risk-based controls in their BSA/AML compliance programs and, therefore, also for compliance with the PATRIOT Act. In fact, in the 2006 version of the manual, risk assessment was given its own section to emphasize its importance in the design of effective controls at institutions and in the BSA/AML examination process. Figure 1 shows how the financial institution’s risk assessment links to the overall BSA/AML compliance program.

According to the FFIEC BSA/AML Examination Manual, examiner scoping and planning for financial institution examinations generally begins with an analysis of the institution’s BSA/AML risk assessment.¹⁷ Examiners should determine whether the institution has adequately identified the risk associated with compliance with BSA/AML requirements and implementation of the PATRIOT Act in its banking operations which, as indicated above, include its products, services, customers, and geographic locations. Further, the July 2007 Interagency Statement lists risk assessment as part of the system of internal controls, which, like the CIP, is one of the five required pillars of a BSA/AML compliance program.

Additional Steps to Address PATRIOT Act Compliance

In addition to issuing FILs to FDIC-supervised institutions to inform them of related examination and enforcement guidance, the FDIC has taken a number of steps to strengthen PATRIOT Act compliance. For example, the FDIC has:

• Conducted training and outreach sessions for its examiners and the banking industry, including providing presentations at various industry conferences and seminars targeting BSA/AML and counter-financing of terrorism issues. Training and outreach activities included discussions on the revisions to the 2006 FFIEC BSA/AML Examination Manual.
• Taken steps to ensure that examiners complete a mandatory training curriculum related to BSA/AML and the PATRIOT Act and certified a number of its BSA subject matter experts under the Association of Certified AML Specialists¹⁸ certification program.
• Issued RD Memoranda, including the updated FDIC Risk Management Manual of Examination Policies; various fact sheets; and frequently asked questions on issues such as CIP and information sharing.¹⁹
• Revised BSA-related violation codes to specifically include PATRIOT Act requirements.
• Established performance measures that address BSA/AML and PATRIOT Act compliance.
• Created a National BSA/AML Task Force and participated in various BSA/AML and PATRIOT Act-related working groups to address BSA/AML policy and procedural matters. Under the auspices of the FFIEC BSA/AML Working Group, which was created in June 2004, the FBAs developed the interagency examination procedures in the FFIEC BSA/AML Examination Manual. In addition, the FDIC is a member of the BSA Advisory Group Examination Subcommittee, which meets with the banking industry to solicit feedback regarding money-laundering risks,²⁰ and works with the Conference of State Bank Supervisors (CSBS) on updates to BSA/AML examination guidance.²¹

RESULTS OF AUDIT

The FDIC, in conjunction with the FFIEC, has issued comprehensive examination procedures in the FFIEC BSA/AML Examination Manual designed to assist examiners in evaluating institution compliance with the AML and terrorist financing provisions of the PATRIOT Act. Additionally, the FDIC has issued supervisory and enforcement guidance on corrective actions for noncompliance with the BSA and PATRIOT Act and referrals of significant BSA violations to FinCEN for review and possible assessment of civil and/or criminal penalties. Notably, the FDIC has taken formal and informal action in a number of cases to address noncompliance with BSA and PATRIOT Act provisions and related regulations and made referrals to FinCEN as required based on the information-sharing MOU with FinCEN. The FDIC has also taken steps to strengthen BSA and PATRIOT Act compliance, including training and industry outreach, certifications for AML specialists, and the establishment of BSA-related performance measures.

Generally, FDIC examiners implemented examination procedures in the FFIEC BSA/AML Examination Manual related to the PATRIOT Act. However, the FDIC could enhance the implementation of examination procedures with respect to CIPs. The FDIC examiners reviewed CIPs for all 24 of our sampled financial institutions and cited CIP-related violations at 5 of those institutions. However, we found other apparent violations of CIP requirements that were not consistently identified and reported by examiners. The CIP requirements are intended to ensure that a financial institution can form a reasonable belief that it knows the true identity of its customers. Consistent examiner identification and reporting of apparent CIP violations can provide the FDIC greater assurance that institutions with weak programs for detecting money laundering and terrorist financing activity are identified and appropriate and timely corrective measures are taken (Implementation of Examination Procedures for Customer Identification Programs).

Although not specifically required by statute or regulation, BSA/AML risk assessments are emphasized in examination guidance to provide a means for (1) institutions to design risk-based BSA/AML compliance programs, which include internal controls, to mitigate risks and (2) examiners to scope and plan their evaluation of the adequacy of BSA/AML compliance programs. Concerning the risk assessments, we found that 21 of 24 sampled institutions had prepared the assessments. Examiners considered the institution-prepared risk assessments in BSA/AML examinations and took appropriate action in the 3 cases where institutions had not prepared assessments. While it is notable that risk assessment is widely used in the design and examination of BSA/AML compliance programs, we observed inconsistencies in addressing and reporting on the risk categories and factors listed in the FFIEC BSA/AML Examination Manual. However, the July 2007 Interagency Statement on enforcement of BSA/AML requirements specifically lists risk assessment as part of the system of internal controls mandated for institutions by regulation. The Interagency Statement should focus additional attention on the design and examination of risk assessments, including the use of designated risk categories and factors. Therefore, we are not making recommendations in this area at this time. Finally, we determined that risk assessments for 8 of the 24 financial institutions were based on a matrix format intended for use by examiners that did not provide for a detailed assessment of risk categories and factors. Use of this matrix in lieu of a more thorough risk assessment could result in BSA/AML risks not being identified (Implementation of Examination Procedures for Risk Assessments).

IMPLEMENTATION OF EXAMINATION PROCEDURES FOR CUSTOMER IDENTIFICATION PROGRAMS

The FDIC could enhance the implementation of examination procedures in the FFIEC BSA/AML Examination Manual concerning institution CIPs. Although examiners reviewed CIPs for all of the 24 sampled financial institutions and cited CIP-related violations at 5 of those institutions, we found other apparent violations of CIP requirements in the programs that were not consistently identified and reported by examiners to the FDIC and to financial institution management. The CIP requirements, such as having procedures to verify a customer’s identity prior to opening an account, are intended to ensure that the financial institution can form a reasonable belief that it knows the true identity of its customers. Consistent examiner identification and reporting of apparent CIP violations can provide the FDIC greater assurance that institutions with weak programs for detecting money laundering and terrorist financing activity are identified and appropriate and timely corrective measures are taken.

Requirements Related to the CIP

Section 326 of the USA PATRIOT Act²²requires financial institutions to implement a written, board-approved CIP, appropriate for the institution’s size and type of business, which includes, at a minimum, procedures for:

• verifying a customer’s true identity to the extent reasonable and practicable and defining the methodologies to be used in the verification process,
• collecting specific identifying information from each customer when opening an account,
• responding to circumstances and defining actions to be taken when a customer’s true identity cannot be appropriately verified with “reasonable belief,”
• maintaining appropriate records during the collection of information and verification of a customer’s identity,
• verifying a customer’s name against a federal government list of known or suspected terrorists or terrorist organizations,²³ and
• providing customers with adequate notice that the bank is requesting identification to verify their identities.

The FFIEC BSA/AML Examination Manual directs examiners to assess financial institution compliance with the statutory and regulatory requirements for CIPs. Examiners should verify whether a financial institution’s policies, procedures, and processes include a comprehensive program to identify customers who open an account after October 1, 2003. The CIP must be examined as part of the institution’s BSA/AML compliance program. Additionally, the manual states that examination findings should be discussed with the bank’s management and all significant findings must be included in the ROE. In addition, the FDIC’s Risk Management Manual of Examination Policies provides guidance to examiners related to the institution’s written, board-approved CIP. The manual outlines specific requirements such as (1) account-opening procedures that specify the identifying information to be obtained from each customer, (2) procedures for verifying the information, and (3) record retention requirements.

Identification of Apparent Violations

Our review of written institution CIP policies, examination workpapers, and ROEs for 24 sampled financial institutions indicated that the institutions’ CIPs did not always address all CIP requirements necessary to verify the identity of customers who open new accounts with the institutions. We also found that examiners were not consistent in some cases in their identification of apparent violations of CIP requirements. For example, some financial institutions were cited for not including all required customer verification procedures in their CIPs, while others were cited only for apparent violations identified during transaction testing performed as part of the examination, even though the CIPs for those institutions were also found to not include all requirements. In fact, for the five financial institutions in our sample where CIP violations were cited, examiners’ decisions to cite the institutions were generally based on the results of their transaction testing rather than a review of the CIP. Examiners told us that they do not report in the ROE those deficiencies identified solely in the CIP policies – rather, the examiners usually recommend orally or informally that bank management consider those deficiencies in updates to the CIP. Additionally, some examiners included recommendations in the ROEs related to complying with CIP requirements but did not cite violations. The inconsistencies in reporting could result in weak compliance programs remaining uncorrected for extended periods.

Based on our review of the examination workpapers and ROEs for the 24 sampled institutions, including copies of the institutions’ CIP policies, we determined that:

• CIPs for the 5 institutions cited by DSC examiners for apparent CIP violations had other apparent CIP violations that were not cited in the ROE violations section,
• CIPs for the each of the remaining 19 financial institutions in our sample had at least 1 apparent CIP violation that was not cited, and
• 3 institutions could have been but were not cited for 5 or more apparent CIP violations.

Table 3, on the next page, provides a synopsis of CIP violations cited by examiners and some of the more frequent apparent CIP violations at the 24 sampled institutions that were not cited by the examiners.

In summary, although examiners cited some financial institutions for apparent CIP violations, all 24 of the financial institutions in our sample had apparent violations that were not cited in the ROEs. The need to cite apparent violations of CIP requirements when they occur was recently emphasized in the October 4, 2006 RD memorandum entitled, Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements, which states that apparent violations of individual pillars of the BSA/AML compliance program (CIP is one of the pillars) should be cited when detected. Importantly, supervisory actions were taken with regard to one of the five sampled institutions cited in the ROEs for apparent CIP violations but were not taken for the other four institutions. As established by Section 8(s)(3)(B) of the FDI Act²⁴ apparent violations that persist across multiple examinations are subject to a C&D to correct the underlying compliance problem at the institution. Therefore, it is important for examiners to cite CIP violations when detected.

Conclusion

CIPs, which should be designed to ensure that financial institutions know the true identity of their customers, are required to be included in the institutions’ overall BSA/AML compliance program and to address all of the program requirements specified by the PATRIOT Act and FDIC Rules and Regulations. An effective CIP helps to ensure that a financial institution knows the true identity of its customers and serves as a deterrent to criminal use of the nation’s financial system. We consider the inconsistencies in the identification and reporting of apparent CIP violations to be indicative of the need for additional instruction to examiners regarding their review of CIPs. Consistent examiner identification and reporting of apparent CIP violations will provide DSC greater assurance that (1) FDIC-supervised financial institutions are complying with BSA and PATRIOT Act requirements and (2) institutions with weak programs for detecting money laundering and terrorist financing activity are identified and appropriate and timely corrective measures are taken.

DSC stated that, in determining whether there are apparent violations, examiners consider not only the institution’s CIP policy but also any supplemental procedures and forms used by the institution to ensure BSA compliance. To the extent that these procedures or forms were in the institution’s overall BSA policy, we included these documents in our review. However, these procedures and forms were not always included in the examination workpapers, so it is possible, based on this supplemental information, that certain deficiencies in institution CIP policies might not be considered apparent violations by the examiners. Also, some examiners informed us that they only cited apparent violations based on transaction testing, while other examiners cited apparent violations based on CIP policy deficiencies. Consequently, there appears to be a need for additional examination guidance addressing the consideration of supplemental procedures and forms in evaluating CIP policies and whether transaction testing is a necessary basis for citing apparent CIP violations.

We recommend the Director, DSC:

IMPLEMENTATION OF EXAMINATION PROCEDURES FOR RISK ASSESSMENTS

Although not specifically required by statute or regulation, BSA/AML risk assessments are emphasized in examination guidance to provide a means for (1) institutions to design risk-based BSA compliance programs, which include PATRIOT Act requirements, to mitigate risks and (2) examiners to scope and plan their evaluation of the adequacy of BSA/AML compliance programs. We found that 21 of 24 sampled institutions had prepared risk assessments, and examiners took appropriate action when the assessments were not prepared. While it is notable that risk assessment is widely used by institutions to design BSA/AML compliance programs, we observed inconsistencies in addressing and reporting on the risk categories and factors designated in the BSA/AML Examination Manual. In addition, we determined that risk assessments for 8 of the 24 financial institutions were based on a matrix format, which did not provide for full consideration of the designated risk categories and factors. Use of this matrix in lieu of a risk assessment could result in BSA/AML risks not being identified.

Examination Guidance for Risk Assessments

In 2006, the FFIEC members revised the FFIEC BSA/AML Examination Manual to, among other things, add a separate section dedicated to the development and evaluation of financial institution risk assessments.²⁵ The guidance states that financial institutions should adequately assess and document the risk exposures of the institution by identifying specific products and services, customers and entities, and geographic locations unique to the institution. For example, institutions located in high-risk geographic areas, such as High Intensity Financial Crimes Areas (HIFCA)²⁶ or High Intensity Drug Trafficking Areas (HIDTA),²⁷ are normally viewed as having a higher risk of criminal activity. We noted that 20 of the 24 financial institutions included in our sample were located in these high-risk areas. However, geographic location alone does not necessarily determine a customer’s or transaction’s risk level. Figure 2 provides additional details on the three risk categories.

Figure 2: Risk Categories That Should be Considered During the Risk Assessment Process Products and Services Funds Transfers Private Banking Activities Correspondent Accounts Pouch Activities Customers and Entities Nonresident Aliens and Accounts of Foreign Individuals Politically Exposed Persons Professional Service Providers (such as attorneys and accountants) Cash Intensive Businesses Non-Bank Financial Institutions, including Money Services Businesses Geographic Locations Countries Subject to OFAC Sanctions Countries Identified as Supporting International Terrorism Jurisdictions of Primary Money Laundering Concern Major Money Laundering Countries and Jurisdictions HIFCA HIDTA Source: 2006 FFIEC BSA/AML Examination Manual.

The FFIEC BSA/AML Examination Manual also discusses five factors to be considered in its risk assessment process:

• purpose of the account,
• actual or anticipated activity,
• nature of the customer’s business,
• customer’s location, and
• types of products and services used by the customer.

The factors are applied as part of a detailed analysis of bank data—the risk assessment—to gain an understanding of the bank’s risk profile, including the varying levels of risk associated with the institution’s activities and customers. The examination manual states that a risk assessment should be used by the bank to design effective risk-based controls for inclusion in its BSA/AML compliance program. In this regard, the manual indicates that institutions are expected to address the varying levels of risk associated with the categories specified above to facilitate the design and implementation of effective and efficient controls to mitigate identified risks. In addition, the examination manual states that analysis of specific risk factors is important because within any type of product or category of customer, there will be account holders that pose varying levels of risk.

The manual also states that examiners should use a risk assessment to scope, plan, and conduct examinations for BSA and PATRIOT Act compliance and to make an ultimate decision on the adequacy of the overall BSA/AML compliance program. According to the manual, examiners should review the institution’s risk assessment, if one exists; independent audit results, including results of an independent review of the bank’s BSA/AML risk assessment; and prior examination results in addition to other information. If a financial institution has not completed a risk assessment or the examiner concludes that the bank’s risk assessment is inadequate, the manual states that the examiner must complete a risk assessment based on available information and use Appendix J of the examination manual for that purpose. Further, examiners should conduct transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements; determine the effectiveness of its policies, procedures, and processes; and evaluate suspicious activity. The manual states that transaction testing is an important factor in forming conclusions about the integrity of the bank’s overall controls and risk management processes.

The manual further states that examiners should evaluate the adequacy of an institution’s BSA/AML risk assessment process. Examiners should also determine whether:

• the BSA/AML compliance program is effectively monitored and supervised in relation to the bank’s risk profile as determined by the risk assessment and ascertain whether the BSA/AML compliance program is effectively mitigating the bank’s overall risk;
• internal controls ensure compliance with the BSA and provide sufficient risk management, especially for high-risk operations (considering products, services, customers, and geographic locations);
• bank management’s lack, or inaccurate assessment, of the bank’s BSA/AML risks could be the underlying cause of policy, procedure, or process deficiencies; and
• there is a need for corrective actions, including the possibility of requiring the financial institution to conduct more detailed risk assessments.

Institution Preparation and Examiner Evaluations of Risk Assessments

For the 24 sampled institutions, we determined that 3 institutions had not prepared risk assessments. In these cases, examiners took appropriate action.²⁸ Concerning the remaining 21 sampled institutions, FDIC examiners considered the institution-prepared risk assessment in BSA/AML examinations. However, we noted the following inconsistencies in the design of the institutions’ risk assessments and related examinations by the FDIC.

• Seven financial institutions had prepared BSA/AML risk assessments that included comprehensive analyses of each of the risk categories and factors in the FFIEC BSA/AML Examination Manual and specified associated risk levels. However, risk assessments for 14 institutions did not address at least one of the risk categories and factors and/or did not specify an associated risk level.
• Twelve examinations documented an overall conclusion on the adequacy of the risk assessment. In the remaining nine examinations, there was no apparent conclusion.
• Seven institutions had at least two consecutive examinations that identified deficiencies related to the institutions’ risk assessments. However, internal control violations were cited in only four of these seven cases.

It is notable that institutions are generally using BSA/AML risk assessments as a component in the design and implementation of their compliance programs. As indicated above, 21 of 24 institutions had prepared risk assessments, and examiners documented conclusions on the adequacy of 12 of 21 assessments prepared by the institutions. Consistent examiner consideration and reporting on risk categories and factors listed in the FFIEC BSA/AML Examination Manual can provide the FDIC greater assurance that financial institutions identify BSA/AML-related risks and design effective risk-based controls necessary to mitigate those risks.

The Interagency Statement, issued on July 19, 2007, lists risk assessments as part of the system of internal controls for purposes of issuing C&Ds. This guidance has the potential to address the inconsistencies we noted in the design and examination of financial institution risk assessments. Specifically, the fact that risk assessment is now linked directly to the internal control pillar of the required BSA/AML compliance program focuses institution attention on preparing comprehensive risk assessments. In addition, directly linking the risk assessment to the internal control pillar should focus the examiner’s attention on the importance of concluding on the adequacy of risk assessments and the citing of violations, where appropriate. Therefore, we are not making recommendations to address this matter at this time.

Use of Appendix J in the FFIEC BSA/AML Examination Manual for Assessing Risk

When an institution has not completed or has an inadequate risk assessment, the FDIC expects examiners to obtain a general understanding of a bank’s products and services, customers and entities, and geographic locations. The FFIEC BSA/AML Examination Manual instructs examiners to use Appendix J of the manual for this purpose. Because the risk assessment process should be comprehensive, it is understandable that examiners cannot conduct a detailed analysis of financial institution risks and that the high-level profile provided by Appendix J is appropriate for their use. In two cases, we noted that examiners used Appendix J because the BSA/AML risk assessment had not been completed by the institution.

However, financial institution use of Appendix J does not provide for detailed analysis of data related to five of the eight risk categories and factors that are part of the risk assessment process and evaluation of the bank’s activities. According to the FFIEC BSA/AML Examination Manual, the complete analysis gives bank management a better understanding of the institution’s risk profile in order to develop the appropriate policies, procedures, and processes to mitigate the overall risk. Specifically, Appendix J does not include a detailed analysis of data for the following five factors:

• purpose of the account,
• actual or anticipated activity in the account,
• nature of the customer’s business,
• customer’s location, and
• types of products and services used by the customer.

The detailed analysis of the above five risk factors is important because, as stated in the FFIEC BSA/AML Examination Manual, within any type of product or category of customer, there will be accountholders that pose varying levels of risk.

We determined that 8 of the 24 financial institutions had used Appendix J, or a modified version of Appendix J, for their risk assessments. Although the manual recognizes that there are many formats that banks may use to effectively document a risk assessment, Appendix J, which is provided for examiner use—not institution use—did not provide for a detailed assessment of the risk factors listed above. The inclusion of Appendix J in the manual may give the impression to financial institutions that this format is acceptable and covers all risk categories and factors that should be assessed by institutions. Therefore, DSC should propose changes to Appendix J to clarify that it is not intended to be used by financial institutions in lieu of performing a comprehensive BSA/AML risk assessment.

DSC management indicated to us, during a discussion of our audit results, that institutions are not required to conduct BSA/AML risk assessments, although most institutions do so as a good management practice. DSC management also stated that there may be low-risk institutions for which examiners conclude that Appendix J provides a sufficient risk assessment. However, we found no criteria governing the definition of a low-risk institution or the use of Appendix J in lieu of a more comprehensive risk assessment. For example, in one case, we found that a large, complex institution with elevated BSA/AML risk used Appendix J for its risk assessment. Instructions to examiners would be beneficial to clarify the circumstances under which Appendix J would be sufficient for institution risk assessments.

Recommendation

We recommend the Director, DSC:

CORPORATION COMMENTS AND OIG EVALUATION

On November 20, 2007, the Director, DSC provided a written response to a draft of this report. DSC’s response is presented in its entirety as Appendix IV to this report. Regarding recommendations 1 and 2, by March 30, 2008, DSC will remind examination staff of supervisory expectations and the appropriate utilization of guidance regarding the identification and reporting of apparent CIP violations and use of Appendix J.

DSC’s actions are responsive to our recommendations. A summary of management’s response to the recommendations is in Appendix V. The recommendations are resolved but will remain open until we have determined that agreed-to corrective actions have been completed and are effective.

Objectives

The objectives of this audit were to determine whether (1) examination procedures are designed to evaluate institution compliance with the AML and terrorist financing provisions of the PATRIOT Act and (2) those procedures were fully and consistently implemented to provide reasonable assurance that institutions with weak programs for detecting money laundering and terrorist financing activity will be identified and appropriate corrective measures taken. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We performed our audit from September 2006 through May 2007.

Scope and Methodology

• Obtained an understanding of FDIC and FFIEC guidance related to examination procedures for determining PATRIOT Act and BSA compliance by reviewing appropriate examiner and financial institution guidance.
• Interviewed DSC officials in Washington, D.C., and selected field offices and representatives of the FDIC’s Legal Division in Washington, D.C.
• Identified and reviewed applicable criteria, including laws, rules, and regulations; examination guidance; and authorities related to examination and enforcement of BSA and PATRIOT Act compliance and the citing and tracking of violations related to compliance.
• Reviewed the following:
  • Federal Register notices and other agency and regulatory reports and related documents to gain an understanding of the FBAs’ roles and responsibilities in implementing the PATRIOT Act.
  • The Treasury’s Web site, including FinCEN’s Web site, to obtain background information on the BSA and PATRIOT Act and to determine the status of the Treasury’s rulemaking (proposed, interim, and final rules) related to the PATRIOT Act.
  • Related audit reports issued by the FDIC OIG and GAO.

To address our objective related to whether examination procedures were fully and consistently implemented, we limited our review to CIP and risk assessment-related procedures. In addition, we obtained information from DSC on examinations conducted after the release of the FFIEC BSA/AML Examination Manual, issued June 2005, and the updated manual issued July 28, 2006. We limited the sample universe to examinations completed September 1, 2005 to October 31, 2006. From those examinations, we selected a non-statistical sample of examinations for 24 FDIC-supervised financial institutions for detailed review.²⁹ To select the sample for review, we considered:

• size and geographic location of the financial institution and
• whether examiners had cited the financial institutions for PATRIOT Act violations.

For the sampled examinations, we reviewed ROEs, supporting work papers, correspondence files, supervisory and enforcement action information, and other pertinent documentation. We selected the sampled examinations from DSC’s Atlanta, Kansas City, New York, and San Francisco regional offices. Additionally, we reviewed system data related to BSA examinations from DSC’s Virtual Supervisory Information on the Net (ViSION), the automated system used by DSC to capture data on the results of DSC’s reports of examination, including identified BSA violations. In addition, we reviewed system data from the Formal and Informal Action Tracking System, which captures information on supervisory and enforcement actions, and referrals that the FDIC forwarded to FinCEN in compliance with the 2004 information-sharing MOU between the FDIC, the other FBAs, and FinCEN.

Additionally, we coordinated with the IG Counsel, Office of Investigations, and other Office of Audits Directorates and FDIC Office of the Ombudsman.

We gained an understanding of the internal control activities relevant to the FDIC’s examination process for BSA and PATRIOT Act compliance by identifying and reviewing applicable policies and procedures related to the FDIC’s examinations for BSA and PATRIOT Act compliance, including guidance provided to FDIC examiners (FFIEC BSA/AML Examination Manual, FDIC Risk Management of Examination Policies, FILs, and Treasury regulations). Additionally, we interviewed DSC officials in the Washington, D.C., office; DSC representatives in selected regional and field offices; and the Examiners-in-Charge for the 24 sampled examinations.

Our assessment of internal controls determined that the FDIC has implemented some internal controls and examination guidance, including interagency examination procedures, related to examinations of financial institution compliance with the PATRIOT Act. However, controls related to the implementation of PATRIOT Act compliance programs need improvement, as indicated in our Results of Audit.

We used computer-based data and reports that DSC provided from the ViSION system to identify the universe of examinations conducted from September 1, 2005 through October 31, 2006. Although our audit identified certain inaccuracies in the ViSION data related to BSA and PATRIOT Act compliance, the data obtained from ViSION were not significant to our conclusions or recommendations. We also used information obtained from the FDIC’s Formal and Informal Action Tracking System to identify supervisory and enforcement actions related to BSA/AML and PATRIOT Act compliance.

Compliance with Laws and Regulations. We reviewed applicable laws and regulations on PATRIOT Act compliance. We determined that the FDIC has general laws and regulations that relate to its overall examination authority (Section 10(b) of the FDI Act and Section 337.12 of the FDIC Rules and Regulations). The FDIC can rely on its general authority to impose enforcement actions under Section 8 of the FDI Act as it relates to operating a financial institution in an unsafe and unsound manner or noncompliance with laws and regulations to take action for PATRIOT Act compliance. The FDIC also has specific authority as outlined in Section 8(s) of the FDI Act as it relates to compliance with the BSA.

Government Performance and Results Act. We reviewed the FDIC 2005-2010 Strategic Plan, the 2006 Annual Performance Plan, and DSC's divisional performance objectives to determine whether the Corporation and/or DSC had performance goals, objectives, and indicators or targets that specifically relate to the examination and enforcement of PATRIOT Act compliance or whether PATRIOT Act issues were generally included in matters related to BSA examination and compliance.

According to the FDIC 2006 Annual Performance Plan, the FDIC has established the following strategic goal, objective, and annual performance goals (see Table 4, on the next page) related to the risk management component of the FDIC’s Supervision Program and to the supervision of financial institutions for compliance with the BSA/AML and PATRIOT Act.

The FDIC performs risk management examinations that include BSA examinations. Because the PATRIOT Act amended the BSA, an examination for PATRIOT Act compliance is included in BSA examinations. BSA compliance is a factor in assessing the willingness and ability of management to mitigate the operational risks of the bank and compliance with governing laws and regulations, which are a significant factor in the overall assessment of the condition of the institution.

In addition, according to the 2006 Annual Performance Plan, the FDIC’s supervision program promotes the safety and soundness of FDIC-supervised insured depository institutions, protects consumers’ rights, and promotes community investment initiatives by FDIC-supervised insured depository institutions. As the primary federal regulator of all insured state non-member banks, the FDIC performs periodic examinations of those FDIC-supervised insured depository institutions to assess their overall financial condition, management policies and practices, and compliance with applicable laws and regulations.

In addition to FDIC corporate objectives, DSC has implemented a performance objective to assist in protecting the infrastructure of the U.S. banking system against terrorist financing, money laundering, and other financial crimes by implementing a comprehensive industry outreach and education effort on the BSA, AML, and counter-financing of terrorism issues.

Prior Coverage

The FDIC OIG and the Government Accountability Office (GAO) have issued audit reports that relate to examination and enforcement of compliance with Title III of the PATRIOT Act. Table 5, on the next page, provides a synopsis of the prior FDIC audit coverage related to BSA compliance.

The GAO has also conducted audits related to PATRIOT Act compliance as indicated below.

Opportunities Exist for FinCEN and the Banking Regulators to Further Strengthen the Framework for Consistent BSA Oversight, GAO-06-386, dated April 2006.

The audit objective was to determine how (1) federal banking regulators examine for BSA compliance and identify and track violations to ensure timely corrective action and (2) enforcement actions are taken for violations of the BSA. The audit recognized the actions that the FDIC and other FBAs, along with FinCEN, have taken to strengthen the framework for BSA compliance, including more consistent examination procedures, recent improvements to automated tracking systems used to monitor BSA compliance, and efforts to share BSA-related information under an information-sharing MOU with FinCEN. However, the report recommended that FBAs and FinCEN:

• communicate emerging risks through updates of the interagency examination manual and other guidance;
• periodically review BSA violation data to determine if additional guidance is needed; and
• jointly assess the feasibility of developing a uniform classification system for BSA compliance problems.

FinCEN and the FBAs supported GAO’s recommendations and expressed commitment to ongoing interagency coordination to address them.

USA PATRIOT Act Additional Guidance Could Improve Implementation of Regulations Related to Customer Identification and Information Sharing Procedures, GAO-05-412, dated May 2005. The audit focused on Sections 326 and 314 of Title III of the PATRIOT Act. The audit objective was to determine how:

• the government “developed the regulations, educated the financial industry on them, and challenges it encountered”;
• regulators have updated guidance, trained examiners, and examined firms for compliance; and
• the new regulations have affected law enforcement investigations.

The GAO reported, in part, that although the FDIC and other FBAs have issued examination guidance related to Section 326 of the PATRIOT Act, examinations did not always determine whether financial institutions had adequately developed a CIP appropriate for their business lines and types of customers. The GAO also reported that this aspect of CIP is critical for ensuring that the identification and verification procedures are appropriate for the types of customers and accounts that are at higher risk of being linked to money laundering and terrorist activities. In addition, the GAO reported that some examinations also revealed implementation difficulties related to CIP that could lead to inconsistencies in the way examiners conduct examinations.

The GAO concluded that examiners and financial institutions may not always understand the requirement for a comparison of customer names against any list of known or suspected terrorists or terrorist organizations.

The GAO recommended that:

• the Treasury, through FinCEN, and with the federal financial regulators and state regulatory agencies, develop additional guidance on ongoing implementation issues.
• FinCEN work with the federal financial regulators to develop additional guidance for examiners to improve examinations of compliance with CIP requirements.

The final rule for Section 326 of the PATRIOT Act, which became effective on June 9, 2003, provides a framework that includes the minimum standards that financial institutions must consider when identifying customers. Banks should conduct a risk assessment of their customer base and product offerings, and in determining the risks, consider the types of accounts offered; methods of opening accounts; types of identifying information available; and the bank’s size, location, and customer base. The rule allows banks to develop a CIP tailored to the risk profile of the bank and impose risk-based procedures.

According to the FFIEC BSA/AML Examination Manual, a financial institution’s CIP must include procedures:

• specifying information that will be obtained from each customer when accounts are opened;
• verifying the identity of the customer within a reasonable period of time after the account is opened based on the financial institution’s risk;
• providing customers with adequate notice that the bank is requesting information to verify their identities;
• describing when it will use documents, nondocumentary methods, or a combination of both to verify identity;
• specifying the minimum acceptable documentation when a bank uses documentation methods to verify a customer’s identity;
• outlining methods to be used when banks use nondocumentary methods to verify a customer’s identity;
• addressing situations where, based on its risk assessment of a new account opened by a customer who is not an individual, the bank will obtain information about individuals with authority or control over such accounts, including signatories;
• determining whether the customer appears on any federal government list of known or suspected terrorists or terrorist organizations;³⁰ and
• addressing recordkeeping and retention of identifying information for a period of 5 years after the account is closed (for credit cards, the retention period is 5 years after the account is closed or becomes dormant).

In addition, procedures should address circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer. A financial institution is allowed to reasonably rely on another financial institution to perform its CIP procedures when certain conditions are met, including when the other institution is supervised by a federal financial regulator and establishes a contractual arrangement for annual certification that the institution has implemented an AML program.

The FDIC expanded Section 326.8 of its rules and regulations to require each FDIC-supervised institution to implement a CIP that complies with 31 C.F.R. 103.121 and incorporate the CIP into a bank's written, board-approved BSA compliance program (with evidence of such approval noted in the board meeting minutes). The National Commission on Terrorist Attacks Upon the U.S. and Monograph on Terrorist Financing³¹ stressed the importance of Section 326 of the PATRIOT Act and recognized that effective customer identification may deter the use of financial institutions by money launderers and terrorists.

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.