The 5 pillars of BSA: Does the new AML/CFT program rule add a sixth pillar? (2024)

The 5 pillars of BSA

Understanding the pillars to build a strong AML program

This post updates a 2022 blog to include information on AML pillars from newer rules.

The task of building arobustAML/CFTprogram may seem overwhelming for Anti-money Laundering/Combating the Financing of Terrorism (AML/CFT)Officers. Knowing where tobeginis the key to a successful projectplan when developing a new programor revamping an outdated or inefficientprogram. Historically, there has been nobetter place tostartthan with the foundation ofan AML/CFT program, the five pillars of the Bank Secrecy Act (BSA).

An interesting question to pose now is whether there are still only five pillars of an AML program.

With FinCEN’s new Proposed Rule to Strengthen and Modernize Financial Institutions’ AML/CFT Programs (AML/CFT proposed rule), we might argue that there are now six pillars of BSA. The Financial Crimes Enforcement Network’s AML/CFT program rule codifies a risk assessment process as part of BSA and AML compliance. Perhaps the risk assessment mandate will become the primary BSA pillar once the Federal Financial Institution Examination Council (FFIEC) updates its examination manual.

BSA Exam Manual takeaways

Pillars for AML compliance from the FFIEC

Fortunatelyfor AML/CFTOfficers,regardless of experience level, the FFIECBSA Examination Manual already providesguidancefor youto buildor restructureyour AML/CFT program.However, copying and pasting therecommendations into your policies and procedures will not be enough to ensure asolidprogram. You must understand each of the pillarstomanage accordingly and educate those on the front line about the role they will play in bringing it to life. You must alsoinstilla strongculture of complianceat your institutionto ensure long-term success.

Let's examine the key takeaways for each of the current five pillars of BSA and AML compliance. Then, we’ll examine what might become the sixth AML pillar.

1. Internal controls

Many factors make the internal control pillar critical to your AML/CFT program. Not only is this a required part of BSA compliance, but controls also ensure that things are running smoothly and that you won't be caught off guard during a regulatory examination. Critical internal controls include:

• Developing policies, procedures, and processes designed to mitigate and manage money laundering and terror financing.
• Providingtimely updates in response to changes in regulationsto keep your AML/CFT programalignedwith regulatory expectations.
• Incorporatingdual controls and the segregation of dutiesto ensure anessentialsecondmanagement layer.
• Managingtechnological and staffing resources strictly will enable you toensure that all AML responsibilities are met. Or,at the minimum, allow you to make your business case to seniormanagementif resources are deficient.
• Providingforprogram continuity despite changes in operations, management, or employee structureto ensure that no surprises occur from issues such as a pandemic or other natural disaster.

2. Designation of an AML/CFT Officer (formerly BSA Officer)

The AML/CFT Officer pillar seems intuitive; all successful programs must have a competent leader. A well-sought-out appointment is critical. Remember these important key factors when appointing your AML/CFT Officer:

• The designatedAML/CFTOfficermust be approved by the board of directors and recorded in meeting minutes.
• The AML/CFT Officermusthave the appropriatebackground and level of experiencefor the position.Promoting the head teller of the institution, no matter how great a staff membertheymay be,will probably not pass regulatory scrutiny.
• The AML/CFT Officer must have the necessary authority, independence, and access to resources to administer an adequate AML compliance program. Independence means that the reporting structure should be outside of the compliance area, and the AML/CFT Officer should be the decision maker in all matters relating to BSA. The title of this position is unimportant from a regulatory perspective, but the authority, independence, and access to resources are critical.

3. Periodic BSA training

Despite sounding straightforward, BSA training is often not implemented properly and is a common examiner finding. Ongoing training is at the heart of a solid AML compliance program. Be sure to take these steps to fulfill the BSA training requirements:

• Avoid one-size-fits all training. BSA training must be tailored to each employee's roles and responsibilities. Thefront-linestaff is your ultimate line of defense and must have detailed BSA training. However, lenders need to know what is relevant to their job functions, and the board of directorsrequireshigh-level training to cover their fiduciary duties.
• Conduct BSA training at least annually and more often if you experience deficiencies in implementing policies and procedures. An effective AML/CFT program cannot be achieved without all team members having the necessary knowledge.
• Document training modules and dates for every staff member, includingtheboard of directors. If one stubborn executivemisses training, you will receive regulatory criticism. Remember to stressaculture of compliance if you run into this situation.

4. Independent testing

The term independent testing is used interchangeably withanaudit function. This pillar is designedto assess a financial institution's compliance with AML requirements and the overall adequacy of the AML compliance program. An independent auditbeforean exam, either internal or by a third party, gives you the ability to shore up any gaps in your programbeforea regulatory exam.Takeaways for financial institutions from this pillar include:

• Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.
• Those conducting the audit must have sufficient knowledge and experience with AML compliance.
• Audits shouldconsider the entire AML/CFT program, includingAML and OFAC monitoring technical resources. Periodic AML model validations will also be required to ensurethat AMLsoftware is working as intended and that all critical data sources feeding into each model are identified.

5. Ongoing customer due diligence (CDD)

A cornerstone of a robust AML compliance program is adopting and implementing risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of ongoing customer due diligence is to understand the nature and purpose of customer relationships, which may include understanding the types of transactions in which a customer is likely to engage. These processes assist financial institutions in determining when transactions are potentially suspicious. Below are important factors to assess when developing your CDD program:

• Each CDD program should begin with a Customer Identification Program (CIP) as outlined in the USA PATRIOT Act.
• CDDshould berisk-focused. Not all customers in a higher-risk category have equal riskwithin an institution. Rely on yourinstitution's uniquerisk assessment to determine how much due diligence isrequired for each customer type.
• As part of CDD, financial institutions must identify and verify beneficial owners of legal entities with an ownership interest of 25% or more. Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage, or direct a legal entity customer. For each legal entity, the customer must identify one beneficial owner under the control prong.
• It's worth noting that the Anti-Money Laundering Act of 2020has required FinCEN toanalyzeany changes needed to the CDD legislation onceFinCEN establishes the beneficial ownership registry. Although details for this requirement are very late in coming to fruition, you should keep your eyes open for future updates onCDD and beneficial ownership changes.

Risk assessment requirement

A possible sixth pillar for AML compliance

The risk assessment process has been a regulatory expectation for AML/CFT programs for a long time but has never been codified until mentioned in the AML/CFT proposed rule. If the rule is finalized as currently written, a financial institution would be mandated to establish a risk assessment process to serve as the basis of the AML/CFT program. FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's money laundering and terrorist financing risks but also to manage and mitigate those risks reasonably. Once the final rule is published, the FFIEC will likely incorporate this requirement as the primary pillar of an AML/CFT program.

Essential guides

Adherence to the pillars is crucial for institutions

The five, or six, pillars of BSAareessential guidelines forallAML/CFT programs, andregulatorslook for the implementation and results of eachduring an examination.Of course,it iscrucialto have a successful regulatory examination, butwhyis adherence tothe pillarsimportantfor financial institutions? Remember the underlying reasons forfollowingtheseguidelines — the critical components of AML/CFT:

• Detecting and reporting unusual or suspicious activity
• Avoiding criminal exposure from personsusing your institutionfor illicit purposes
• Adhering to safe and sound banking practices.

Federal regulators have issued several recent enforcement actions involving BSA pillar violations, such as one issued by the FDIC to a California bank in October 2023. Findings include:

• Inadequate written BSA compliance program
• Insufficient internal controls
• AML/CFT Officer not qualified
• BSA training was not tailored to specific job duties
• Unacceptable CDD program
• Insufficient suspicious activity monitoring

Remembering these BSA pillars, including a robust risk assessment process, is essential fora successfulexamination, which will confirm your institution's safety and soundness. These pillars must be understood and cannot be missed for a successful AML/CFT program.