« Back to Category

Bank Secrecy Act: How Your Institution Can Prepare for Compliance Changes Ahead

By: Marianne Drumm
Senior Manager, Internal Audit

Historically, financial institutions have been required to implement a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program based on four “pillars” in order to comply with Section 352 of the USA Patriot Act.

To bolster the fight against money laundering and terrorist financing, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) added a fifth pillar in May 2016. Financial institutions have until May 11, 2018, to implement this pillar into their BSA/AML programs.

This is a valuable chance to review the full BSA/AML program to ensure your financial institution has a culture of compliance strongly supported at all levels of the institution.

New BSA/AML Compliance Pillar

Until recently, financial institutions were required to establish a BSA/AML program that included these four pillars:

  1. Development of internal policies, procedures and controls: These must be risk-based, comprehensive and subject to constant review and update.
  2. Designation of BSA Compliance Officer with the appropriate level of authority and responsibility: This individual must be permitted to carry out duties with independence and autonomy.
  3. On-going employee training: General BSA/AML and Office of Foreign Assets Control training must be supplemented with training on the institution’s own policies and procedures that are specific to various functions and staff roles.
  4. Independent testing of the AML program: The testing must be adequate in scope and coverage, and must be conducted by qualified and independent auditors.

In May 2016, FinCEN issued a final rule creating a fifth pillar related to beneficial ownership and risk-based customer due diligence. Starting on May 11, 2018, financial institutions will be required to:

  • Establish risk-based procedures for conducting ongoing customer due diligence, including the development of customer risk profiles;
  • Implement ongoing monitoring to identify and report suspicious activity; and,
  • Update customer information on an event-driven, risk-based basis triggered by information detected during normal monitoring.

Beneficial Owner Identification Required

This new rule also requires financial institutions to establish and maintain written procedures designed to identify and verify the beneficial owners of legal entity customers. A legal entity customer is a corporation, limited liability company or other entity created by filling a public document with a Secretary of State or similar office; a general partnership; or any similar entity formed under the laws of a foreign jurisdiction that opens an account.

The rule identifies two types of beneficial owners of legal entity customers:

  • Ownership Prong: Includes each individual who, directly or indirectly, owns 25 percent or more of the equity interests of the legal entity customer
  • Control Prong: A single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., CEO, CFO, Treasurer)

Excluded from the beneficial owner identification requirements are the following legal entities: banking organizations; entities whose common stock is traded on the New York, American or NASDAQ stock exchange; SEC-registered investment companies and advisers; foreign financial institutions established in jurisdictions that have beneficial ownership reporting regimes; and legal entities with private banking accounts subject to FinCEN rules.

As always, it is imperative for the board and senior management to understand their responsibilities as it relates to BSA/AML compliance and to set the tone for a proactive, aware and engaged culture of compliance. With the addition of the new pillar and its requirements, financial institutions will have even more information to capture and data to report, so it is a sound idea to start preparing now for these new compliance responsibilities.

Questions about the new BSA/AML pillar or overall compliance in this regulatory area? Contact the RKL Risk Management Compliance Team.