Evolving regulation—from the Bank Secrecy Act through the USA Patriot Act: who are your customers, what are they doing, and why should you care?

RMA Journal, The, July-August, 2004 by Michael I. Frachioni

The din of publicity and commentary surrounding the Patriot Act over the past three years should not cause one to lose sight of the fact that this three-year-old Act has been over three decades in the making and, with respect to customer information and activities, merely augments existing statures and regulations.

The Bank Secrecy Act (BSA) was enacted in 1970 to fight money laundering and other financial crimes. To keep pace with evolving and increasingly sophisticated financial crimes, and to strengthen law enforcement's ability to combat them, the BSA has been amended a number of times--by the Money Laundering Control Act of 1986, by the Money Laundering Suppression Act of 1994, and, most recently (and most publicly), by the USA Patriot Act of 2001.

Given the increasingly intense scrutiny paid to BSA compliance by both regulators and the public, we would expect financial institutions to be increasingly vigilant in their strict compliance with the Acts. Sadly, that's not always the case.

Bank Secrecy Act

Financial institutions are required to adopt a written internal compliance program, approved by the board of directors and noted as such in the board minutes. It is startling to discover the number of institutions that have yet to comply with these fundamental elements. In the large scheme of compliance examination, this may be a small point, but it sets the tone for the regulators as to how comprehensive an institution's BSA program may be.

In addition, a qualified bank employee must be designated as the BSA compliance officer with day-to-day responsibility for all aspects of the program, oversight of employee training, and compliance with all BSA regulations.

Under the BSA, financial institutions also are subject to a number of reporting and record-keeping requirements, most notably Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). They also must retain a record of each cash sale of bank checks, cashier's checks, money orders, and traveler's checks ranging from $3,000 to $10,000, and they must maintain a record of each funds transfer of $3,000 or more that they originate, for which they act as intermediary, or receive.

Finally, institutions must provide for periodic, independent audit and testing of transaction and record-keeping activities. FDIC and OCC personnel have made it clear, both in public pronouncements and in conversations with this author, that BSA compliance, record keeping, and testing will remain a priority of examiners for the foreseeable future.

Training. Comprehensive training of all appropriate personnel is the cornerstone of any institution's BSA and anti-money-laundering program. The BSA requires that the bank ensure appropriate personnel are trained in all elements of the BSA and the bank's internal compliance programs. Fundamentally, such training programs must cover three basis areas:

1. Appropriate personnel. All bank personnel, including senior management, who have any type of customer interaction (including in person, by telephone, or electronically), who oversee any customer activity, or who handle cash in any way must be appropriately trained in the Act, its associated regulations, and the institution's internal compliance programs. Such personnel include, but are not limited to, branch administration, customer service, private banking, correspondent banking, trust, brokerage, safe deposit, and vault personnel.

2. Ongoing and up-to-date. Training must be ongoing and incorporate developments in or changes to the BSA, anti-money-laundering laws, and OCC and the Treasury Department's Financial Crimes Enforcement Network (FinCEN) regulations. Examples of laundering schemes should be provided, and the training should address ways in which money laundering or other violations may be detected and eliminated.

3. Penalties. The training should address potential penalties for failure to comply with applicable statutes, regulations, or the institution's internal programs. These may include fines, termination, or criminal prosecution. Finally, programs should identify resources able to provide additional guidance to personnel. These may include contact information for compliance personnel and written copies of the institution's compliance programs or handbooks.

CTR. A CTR (IRS Form 4789) must be filed for each deposit, withdrawal, exchange of currency, or other payment or transfer by, through, or to a financial institution involving a currency transaction of more than $10,000. Multiple transactions must be treated as a single transaction if the institution has knowledge that they are conducted by or on behalf of the same person and the transfers of currency in aggregate total more than $10,000. Note that such institutional knowledge is attributable to officers, directors, employees, and any automated or manual systems employed in an effort to detect multiple transactions. Filings must be made with the IRS Detroit computing center within 25 days after the reportable transaction if filing magnetically and 15 days if a paper filing is made.