I am always wary of definitive “best practices” lists. By definition, “best practices” vary depending on the size and nature of an organization in any compliance context.
This variability is applicable to the financial industry. AML/BSA compliance can have a dramatic impact on one business but little impact on another business with a different profile.
With all those caveats, there are some principles to examine in the AML/BSA context.
Banks and financial institutions have to devote significant efforts to risk assessment, policies and procedures, regulatory reporting and transaction monitoring. They face a daunting task given the number and speed with which transactions occur. There are lots of ways banks and financial institutions can make mistakes.
Given the importance of a risk assessment, financial institutions need to update their risk assessment and their formulas for risk weighting at least every year. In some geographic markets where the risk is high, it may be a good idea to update the rankings twice a year.
Financial institutions need to manage and update their policies and procedures to make sure they are consistent, current, and comprehensive statements of program requirements and procedures. They have to be drafted and maintained using consistent language and descriptions.
AML/BSA compliance focuses on proper regulatory filings, especially the Suspicious Activity Reports and Currency Transaction Reports. Financial institutions need to ensure that these reports are subject to a uniform quality control process to review and ensure consistent filings. Most institutions maintain SARs committees to review and ensure that the SARs is properly filed and subject to consistent scrutiny.
Customer Identification Programs should be subject to annual audits in specific areas, especially those high-risk areas. Financial institutions need to evaluate on a continuing basis how the CIP is working, whether modifications are needed, or areas where compliance has been spotty. Such audits will help to evaluate the CIP and determine whether modifications are needed and/or enhanced training programs for employees.
Enforcement agencies have focused attention on OFAC compliance with applicable sanctions. As a result, many financial institutions are subjecting their transactions to a dual screening and review process for compliance with applicable sanctions. This is a good idea. Many of the recent enforcement actions involved deliberate attempts by personnel to circumvent sanctions by deleting information or by withholding specific information from transaction paperwork.
An area that is often ignored in any compliance program is record retention requirements. Given the volume of transactions conducted by a financial institution and the numbers of reports and monitoring programs, the financial institution should pay special attention to maintaining such records for at least five years, and in most cases, longer than five years.
In the training area, effective AML/BSA training programs usually reflect training needs assessment. Such an assessment is helpful in designing a training program to meet the needs of specific departments and geographic areas. Training programs can be designed to reflect specific needs in discrete departments.
Training materials should be updated each year to reflect current trends and developments, as well as up-to-date policies and procedures. Every training program should include some type of quiz or review of information covered in the program. Also, each training session should include a brief survey so that feedback on the program can be gathered at the conclusion of any training program.