Federal Bank Regulatory Agencies and FinCEN Issue Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision

On July 22, the U.S. federal bank supervisory agencies and the Financial Crimes Enforcement Network (FinCEN) issued a joint statement ”to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act /anti-money laundering (BSA/AML) compliance programs,” and to improve transparency into the risk-focused approach that the agencies use for planning and performing BSA/AML examinations.

The joint statement has two principal sections, each of which addresses multiple topics:

1. BSA/AML Compliance Programs and Risk Profiles:
   • General Requirement: The joint statement first sets out the agencies’ expectations that “banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity,” in order “[t]o assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA.” Such a risk-based compliance program “enables a bank to allocate compliance resources commensurate with its risk.
   • Risk Assessment and Risk Profile: The joint statement briefly notes, with regard to BSA/AML risk assessments, that “[a] bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.” With regard to risk profiles, it further states that banks “determine the levels and types of risks that they will assume.”  On this point, the joint statement attaches a footnote stating that “[b] Bank directors provide guidance regarding acceptable risk exposure levels and corresponding policies while management implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.”
   • Risk Mitigation and “De-risking”: Banks that operate in compliance with applicable law, properly manage customer relationships and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services.”  This sentence, as the agencies explain in a footnote, “does not create additional requirements or supervisory expectations for banks.”  The joint statement also recapitulates prior statements by the banking agencies on de-risking, encouraging banks “to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.”
   • Agencies’ Approach to Examinations: The joint statement summarizes the agencies approach to BSA/AML examinations as follows:
     • “Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks.”
     • The joint statement also recognizes that there is no “one-size-fits-all” risk profile applicable to banks.  It notes that the agencies “recognize that banks vary in focus and complexity, and that these differences create for each bank a unique risk profile. Accordingly, the scope of BSA/AML examinations varies by bank.”  With regard to the variability of focus, it briefly states, in a footnote, that “[f]or example, a bank with a localized community focus likely has a stable, known customer base.”
2. Risk-Focused Examinations: This section begins with a general statement that the federal banking agencies “s conduct risk-focused BSA/AML examinations, and tailor examination plans and procedures based on the risk profile of each bank.” It then explains how the agencies conduct those examinations:
   • Common Practices: This section notes that common practices for assessing the bank’s risk profile include the following actions:
     • “leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank”;
     • “contacting banks between examinations or prior to finalizing the scope of an examination”; and
     • “considering the bank’s ability to identify, measure, monitor and control risks.”
   • This section adds that “[t]he information gained from assessing the bank’s risk profile assists examiners in scoping and planning the examination and initially evaluating the adequacy of the BSA/AML compliance program.”

• Resource Allocation: This section declares that the federal banking agencies “generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas. For example, the pre-examination request list is tailored to the bank’s risk profile, complexity, and planned examination scope.”
• Risk Assessment and Testing: This section further states:
  • “Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.”
• Examination Manual: This section concludes with a declaration that the risk-focused approach reflected in the joint statement “forms the foundation for the information, instructions, and procedures communicated to examiners through the Federal Financial Institutions Examination Council BSA/AML Examination Manual.”

In its conclusion, the joint statement recapitulates a number of its key points:

• “Risk-focused BSA/AML examinations consider a bank’s unique risk profile”;
• Examiners “use risk assessments and independent testing when planning and conducting examinations,” and “assess the adequacy of a bank’s BSA/AML compliance program during each examination cycle”;
• “The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk management processes to identify, measure, monitor, and control risks, and to report potential money laundering, terrorist financing, and other illicit financial activity.”

Note:  Financial institutions’ risk and AML compliance teams should read the joint statement closely, both as a general checklist for reviewing their BSA/AML compliance programs and as a frame of reference in preparing for future BSA/AML examinations.  While the joint statement specifically states that it “does not establish new requirements,” it articulates regulators’ expectations regarding BSA/AML program evaluations in greater detail than before.

The joint statement also may serve as a recognition of the limits to which regulators may go in questioning the adequacy of a bank’s BSA/AML program.  So long as a bank has thought through and provided sufficient processes and resources for each element of is program, taking into account its unique risk profile, it can be in a stronger position to challenge, respectfully but firmly, any suggested revisions to its BSA/AML program that are inconsistent with a risk-based approach.