How to Effectively Implement the 5 Pillars of BSA Compliance
According to U.N. estimates, the amount of money laundered around the world is a whopping 2%-5% of the global GDP, or around $800 billion to $2 trillion. Those trillions are pumped into detrimental activities like narcotics trafficking and terror financing.
Banks and other financial institutions are often at the frontlines of this shadow war. Recognizing this, U.S. financial regulators have designed a comprehensive regulatory framework to battle money laundering and other illegal activities in the form of the Bank Secrecy Act (BSA).
In this article, find out about the BSA and understand the best practices for BSA compliance.
What Are BSA, AML, and BSA/AML?
The Bank Secrecy Act is a U.S. statute to deter and detect money laundering and other financial crimes by requiring banks and other financial institutions to maintain and report information about their customers and transactions to the U.S. government.
The BSA was enacted as public law 91-508. It's been amended since and codified in the following sections of the United States Code (USC) and its regulations included in the Code of Federal Regulations (CFR):
Anti-money laundering (AML) refers to the U.S. regulatory framework to counter money laundering, terror financing, and other illegal activities. The AML regulations implement multiple laws, including the BSA of 1970, the Money Laundering Control Act of 1986, the USA PATRIOT Act of 2001, and the Anti-Money Laundering Act of 2020.
Together, the financial system refers to these regulations as Bank Secrecy Act/anti-money laundering (BSA/AML).
BSA Reports
The BSA/AML rules require financial institutions and individuals to file the following reports electronically whenever they identify suspicious activity:
- Currency transaction reports (CTRs): CTRs are filed for cash transactions exceeding $10,000 in a single day either by an individual or a group of people suspected of working together.
- Suspicious activity reports: These must be filed if transaction activities look suspicious, like attempting to evade CTR filing by staying under the $10,000 threshold.
- Foreign bank and financial account reports: These are reports that legal entities and individuals must file if they have any accounts in foreign banks or other institutions.
- Cash payment reports: Any trade or business that receives over $10,000 must file cash payment reports.
- Registration of money services business: Any person conducting business like exchanging currency, transacting cryptocurrency, issuing money orders, or selling traveler's checks must register themselves as a money service business.
- Currency or monetary instrument reports: Anyone who transports, mails, or ships currency or other monetary instruments exceeding $10,000 out of or into the U.S. must file these reports.
- Exemption reports: Financial institutions can request exemptions from BSA/AML for entities or individuals.
Who Should Worry About BSA/AML Compliance?
BSA/AML covers all traditional and modern financial institutions and financial services, including:
- Banks
- Investment companies
- Foreign banks
- Depository institutions
- Money services businesses
- Credit unions
- Modern financial services like cryptocurrency exchanges
Which Regulatory Agencies Enforce the BSA/AML?
BSA/AML regulations are monitored by multiple agencies that are responsible for different types of financial institutions in the U.S. They also conduct BSA examinations for their respective institutions. These agencies include:
- Financial Crimes Enforcement Network (FinCEN): This unit of the Department of the Treasury (DOT) is the primary regulator and law enforcement agency for implementing and enforcing BSA/AML.
- Office of Foreign Assets Control: This a DOT unit that enforces sanctions and prohibits transactions with individuals, entities, and countries designated as national security threats.
- The Federal Reserve System: The Fed is the U.S. central bank that supervises the federal branches of most domestic banks and some foreign banks.
- Federal Deposit Insurance Corporation: It supervises and examines banks that aren't members of the Federal Reserve System, such as state-chartered banks and savings associations.
- National Credit Union Administration: It regulates and examines credit unions.
- Office of the Comptroller of the Currency: It supervises national banks, federal savings associations, and federal branches of foreign banks.
- Securities and Exchange Commission: It enforces BSA/AML for financial institutions like broker-dealers and investment companies.
- Commodity Futures Trading Commission: It ensures BSA compliance by commodities traders.
- Internal Revenue Service: It enforces BSA/AML compliance by non-banking financial institutions.
What Are BSA/AML Examinations?
The regulatory agencies above must regularly examine the BSA/AML compliance programs of all the institutions they supervise. To do so, they conduct AML examinations based on a comprehensive set of AML examination procedures formulated by the Federal Financial Institutions Examination Council (FFIEC).
The FFIEC also publishes an AML examination manual with guidelines and best practices for every aspect of BSA/AML compliance.
What Are the Penalties for BSA/AML Non-Compliance?
The penalties for not complying with BSA/AML include:
- Civil penalties like fines
- Criminal penalties including imprisonment
- Regulatory sanctions on business and transactions
In the next section, we show some case studies of what can happen if an institution is non-compliant.
Case Studies in BSA Compliance Violations
Let's see some cases of non-compliance reported by the FinCEN enforcement actions database.
1. UBS Financial Services Fined $15 Million
UBS Financial Services is a reputed broker-dealer of securities. FinCEN determined that for 13 years, it failed to develop an adequate risk-based BSA/AML compliance program and failed to implement compliance regulations, such as customer due diligence. FinCEN fined it $15 million and made it implement compliance improvements.
2. Crypto Exchange Bittrex Fined $30 Million
Bittrex, a cryptocurrency exchange, incurred a civic penalty of $30 million from FinCEN for multiple violations, including non-compliance with BSA/AML regulations, such as not filing suspicious activity reports, non-compliance with OFAC regulations, and not implementing risk-based internal controls.
5 Pillars of BSA Compliance and Best Practices
The Federal Reserve System issued a set of final rules that impose four requirements on BSA compliance that all financial institutions must follow. Later, FinCEN's final rules added a fifth requirement related to customer due diligence (CDD). These five requirements for compliance programs are known in the financial community as the "five pillars of BSA compliance."
Let’s look at the five pillars as well as additional strategies you should adopt for your AML compliance program.
1. Internal Controls to Ensure Ongoing Compliance
The first pillar of compliance requires institutions to have internal controls to limit illegal activities. Internal controls are the institution's policies and procedures to identify and mitigate the risks of money laundering and other illegal financial activities. Follow these best practices:
- Ensure internal controls are proportional to the organization's size, business exposure, AML risk levels, operational complexity, and organizational structure.
- Implement departmental internal controls if you’re a large institution.
- Monitor information technology resources that support BSA/AML compliance.
- Segregate roles, responsibilities, and duties to avoid conflicts of interest between business goals and compliance restrictions.
- Identify compliance roles and responsibilities for specific personnel.
2. Independent Testing for Compliance
The second pillar requires institutions to conduct independent testing of their compliance programs by internal or external auditors. Best practices include:
- The testing must evaluate the quality of the institution's risk management strategies regarding the risks of money laundering and other illegal activities.
- It must ensure that the risk assessment is commensurate with the organization's risk profile in terms of business operations, customer profiles, and locations.
- The scope and frequency of testing must be proportional to the organization's risk profile regarding money laundering and similar risks.
- It must test that the bank's systems for detecting suspicious activities are good.
- It must ensure that the institution is complying with all recordkeeping and reporting requirements like the customer identification program, customer due diligence, beneficial ownership, suspicious activity and currency transaction reports, and similar.
- It must evaluate the overall adequacy of BSA/AML compliance and report drawbacks to the board of directors and senior management.
3. Compliance Officers for Monitoring Day-to-Day Compliance
The third pillar requires institutions to have compliance officers for coordinating and monitoring day-to-day compliance with BSA/AML. Follow these best practices:
- Compliance officers must have adequate authority, independence, and resources to effectively execute their compliance duties.
- Compliance officers must have direct lines of reporting to the board of directors. The latter must take the inputs of compliance officers on risk profiles and assessments for illegal activities.
4. Training on Compliance
The fourth pillar expects institutions to train their relevant personnel for BSA/AML proficiency. Best practices include:
- Tailor the training to each person's role and responsibilities. The board of directors and senior management must be trained on BSA compliance because they're ultimately responsible for setting up the compliance program.
- Training should demonstrate examples of money laundering and suspicious activity monitoring that are tailored to each operational area. For example, loan department personnel should be trained to identify money laundering through lending arrangements.
- High-risk business lines like lending, foreign banking, or private banking should get more advanced training on compliance.
- Conduct periodic training on emergent risks and new regulatory guidelines.
- Training materials and dates should be maintained for auditor and examiner reviews.
5. Customer Due Diligence
The fifth pillar, added by FinCEN's CDD rules, covers requirements on CDD, customer identification, and beneficial ownership. Follow these best practices:
- Adopt risk-based CDD policies and procedures. Assess money laundering and similar risk profiles for every customer.
- Ensure that high-risk customers are adequately monitored by suspicious activity detection.
- Avoid any criminal exposure from persons who attempt to use the institution for illegal activities.
- Follow the regulations of the customer identification program, such as verifying the details and identities of customers.
- Identify beneficial ownership of legal entity customers. Shell companies and similar complex structuring are the most common routes for money laundering and terrorist financing.
- Follow know-your-customer best practices.
How to Effectively Implement the 5 Pillars of BSA Compliance
According to U.N. estimates, the amount of money laundered around the world is a whopping 2%-5% of the global GDP, or around $800 billion to $2 trillion. Those trillions are pumped into detrimental activities like narcotics trafficking and terror financing.
Banks and other financial institutions are often at the frontlines of this shadow war. Recognizing this, U.S. financial regulators have designed a comprehensive regulatory framework to battle money laundering and other illegal activities in the form of the Bank Secrecy Act (BSA).
In this article, find out about the BSA and understand the best practices for BSA compliance.
What Are BSA, AML, and BSA/AML?
The Bank Secrecy Act is a U.S. statute to deter and detect money laundering and other financial crimes by requiring banks and other financial institutions to maintain and report information about their customers and transactions to the U.S. government.
The BSA was enacted as public law 91-508. It's been amended since and codified in the following sections of the United States Code (USC) and its regulations included in the Code of Federal Regulations (CFR):
Anti-money laundering (AML) refers to the U.S. regulatory framework to counter money laundering, terror financing, and other illegal activities. The AML regulations implement multiple laws, including the BSA of 1970, the Money Laundering Control Act of 1986, the USA PATRIOT Act of 2001, and the Anti-Money Laundering Act of 2020.
Together, the financial system refers to these regulations as Bank Secrecy Act/anti-money laundering (BSA/AML).
BSA Reports
The BSA/AML rules require financial institutions and individuals to file the following reports electronically whenever they identify suspicious activity:
- Currency transaction reports (CTRs): CTRs are filed for cash transactions exceeding $10,000 in a single day either by an individual or a group of people suspected of working together.
- Suspicious activity reports: These must be filed if transaction activities look suspicious, like attempting to evade CTR filing by staying under the $10,000 threshold.
- Foreign bank and financial account reports: These are reports that legal entities and individuals must file if they have any accounts in foreign banks or other institutions.
- Cash payment reports: Any trade or business that receives over $10,000 must file cash payment reports.
- Registration of money services business: Any person conducting business like exchanging currency, transacting cryptocurrency, issuing money orders, or selling traveler's checks must register themselves as a money service business.
- Currency or monetary instrument reports: Anyone who transports, mails, or ships currency or other monetary instruments exceeding $10,000 out of or into the U.S. must file these reports.
- Exemption reports: Financial institutions can request exemptions from BSA/AML for entities or individuals.
Who Should Worry About BSA/AML Compliance?
BSA/AML covers all traditional and modern financial institutions and financial services, including:
- Banks
- Investment companies
- Foreign banks
- Depository institutions
- Money services businesses
- Credit unions
- Modern financial services like cryptocurrency exchanges
Which Regulatory Agencies Enforce the BSA/AML?
BSA/AML regulations are monitored by multiple agencies that are responsible for different types of financial institutions in the U.S. They also conduct BSA examinations for their respective institutions. These agencies include:
- Financial Crimes Enforcement Network (FinCEN): This unit of the Department of the Treasury (DOT) is the primary regulator and law enforcement agency for implementing and enforcing BSA/AML.
- Office of Foreign Assets Control: This a DOT unit that enforces sanctions and prohibits transactions with individuals, entities, and countries designated as national security threats.
- The Federal Reserve System: The Fed is the U.S. central bank that supervises the federal branches of most domestic banks and some foreign banks.
- Federal Deposit Insurance Corporation: It supervises and examines banks that aren't members of the Federal Reserve System, such as state-chartered banks and savings associations.
- National Credit Union Administration: It regulates and examines credit unions.
- Office of the Comptroller of the Currency: It supervises national banks, federal savings associations, and federal branches of foreign banks.
- Securities and Exchange Commission: It enforces BSA/AML for financial institutions like broker-dealers and investment companies.
- Commodity Futures Trading Commission: It ensures BSA compliance by commodities traders.
- Internal Revenue Service: It enforces BSA/AML compliance by non-banking financial institutions.
What Are BSA/AML Examinations?
The regulatory agencies above must regularly examine the BSA/AML compliance programs of all the institutions they supervise. To do so, they conduct AML examinations based on a comprehensive set of AML examination procedures formulated by the Federal Financial Institutions Examination Council (FFIEC).
The FFIEC also publishes an AML examination manual with guidelines and best practices for every aspect of BSA/AML compliance.
What Are the Penalties for BSA/AML Non-Compliance?
The penalties for not complying with BSA/AML include:
- Civil penalties like fines
- Criminal penalties including imprisonment
- Regulatory sanctions on business and transactions
In the next section, we show some case studies of what can happen if an institution is non-compliant.
Case Studies in BSA Compliance Violations
Let's see some cases of non-compliance reported by the FinCEN enforcement actions database.
1. UBS Financial Services Fined $15 Million
UBS Financial Services is a reputed broker-dealer of securities. FinCEN determined that for 13 years, it failed to develop an adequate risk-based BSA/AML compliance program and failed to implement compliance regulations, such as customer due diligence. FinCEN fined it $15 million and made it implement compliance improvements.
2. Crypto Exchange Bittrex Fined $30 Million
Bittrex, a cryptocurrency exchange, incurred a civic penalty of $30 million from FinCEN for multiple violations, including non-compliance with BSA/AML regulations, such as not filing suspicious activity reports, non-compliance with OFAC regulations, and not implementing risk-based internal controls.
5 Pillars of BSA Compliance and Best Practices
The Federal Reserve System issued a set of final rules that impose four requirements on BSA compliance that all financial institutions must follow. Later, FinCEN's final rules added a fifth requirement related to customer due diligence (CDD). These five requirements for compliance programs are known in the financial community as the "five pillars of BSA compliance."
Let’s look at the five pillars as well as additional strategies you should adopt for your AML compliance program.
1. Internal Controls to Ensure Ongoing Compliance
The first pillar of compliance requires institutions to have internal controls to limit illegal activities. Internal controls are the institution's policies and procedures to identify and mitigate the risks of money laundering and other illegal financial activities. Follow these best practices:
- Ensure internal controls are proportional to the organization's size, business exposure, AML risk levels, operational complexity, and organizational structure.
- Implement departmental internal controls if you’re a large institution.
- Monitor information technology resources that support BSA/AML compliance.
- Segregate roles, responsibilities, and duties to avoid conflicts of interest between business goals and compliance restrictions.
- Identify compliance roles and responsibilities for specific personnel.
2. Independent Testing for Compliance
The second pillar requires institutions to conduct independent testing of their compliance programs by internal or external auditors. Best practices include:
- The testing must evaluate the quality of the institution's risk management strategies regarding the risks of money laundering and other illegal activities.
- It must ensure that the risk assessment is commensurate with the organization's risk profile in terms of business operations, customer profiles, and locations.
- The scope and frequency of testing must be proportional to the organization's risk profile regarding money laundering and similar risks.
- It must test that the bank's systems for detecting suspicious activities are good.
- It must ensure that the institution is complying with all recordkeeping and reporting requirements like the customer identification program, customer due diligence, beneficial ownership, suspicious activity and currency transaction reports, and similar.
- It must evaluate the overall adequacy of BSA/AML compliance and report drawbacks to the board of directors and senior management.
3. Compliance Officers for Monitoring Day-to-Day Compliance
The third pillar requires institutions to have compliance officers for coordinating and monitoring day-to-day compliance with BSA/AML. Follow these best practices:
- Compliance officers must have adequate authority, independence, and resources to effectively execute their compliance duties.
- Compliance officers must have direct lines of reporting to the board of directors. The latter must take the inputs of compliance officers on risk profiles and assessments for illegal activities.
4. Training on Compliance
The fourth pillar expects institutions to train their relevant personnel for BSA/AML proficiency. Best practices include:
- Tailor the training to each person's role and responsibilities. The board of directors and senior management must be trained on BSA compliance because they're ultimately responsible for setting up the compliance program.
- Training should demonstrate examples of money laundering and suspicious activity monitoring that are tailored to each operational area. For example, loan department personnel should be trained to identify money laundering through lending arrangements.
- High-risk business lines like lending, foreign banking, or private banking should get more advanced training on compliance.
- Conduct periodic training on emergent risks and new regulatory guidelines.
- Training materials and dates should be maintained for auditor and examiner reviews.
5. Customer Due Diligence
The fifth pillar, added by FinCEN's CDD rules, covers requirements on CDD, customer identification, and beneficial ownership. Follow these best practices:
- Adopt risk-based CDD policies and procedures. Assess money laundering and similar risk profiles for every customer.
- Ensure that high-risk customers are adequately monitored by suspicious activity detection.
- Avoid any criminal exposure from persons who attempt to use the institution for illegal activities.
- Follow the regulations of the customer identification program, such as verifying the details and identities of customers.
- Identify beneficial ownership of legal entity customers. Shell companies and similar complex structuring are the most common routes for money laundering and terrorist financing.
- Follow know-your-customer best practices.
How Does Certa Boost Your BSA Compliance?
Certa's risk and compliance platform is designed to help you effectively implement the five pillars of BSA compliance:
- When working with third parties, Certa's risk platform is designed to help you identify, document, and mitigate your risks of money laundering and other illegal activities.
- Certa enables the effective use of technology for anti-money laundering, as required by the Anti-Money Laundering Act of 2020, with features like workflow automation, automated decisions based on information reported by partner services, centralized compliance dashboards for monitoring and reporting, audit trails to prove due diligence and compliant intentions, secure document management for non-repudiation, and more.
- Certa enables compliance officers to systematically enforce company-wide policies and procedures, continuously monitor them, and generate all the compliance reports mandated by the regulations.
- Certa's built-in sharable content object reference model (SCORM) integration enables regular training and testing of internal and external users on BSA/AML knowledge without ever leaving the Certa platform.
Talk to our compliance specialists today for more information on how Certa can help with your BSA compliance.