The Federal Financial Institutions Examination Council Issues Revisions to the BSA/AML Examination Manual

April 27, 2020

Click for PDF

The Federal Financial Institutions Examination Council (“FFIEC”)[1] recently announced the publication of substantial revisions to the first section of its Bank Secrecy Act/Anti-Money Laundering Examination Manual (the “Manual”) regarding the BSA/AML examination process and the examination of a bank’s overall BSA/AML program.  The revisions including the risk assessment and the required elements of the program (i.e., internal controls, BSA/AML compliance officer, independent testing, and training).[2] Other than the update in 2018 to reflect the changes resulting from the U.S. Department of the Treasury Financial Crime Enforcement Network’s (“FinCEN”) Customer Due Diligence Rule, the Manual had not been revised since 2014.[3]

With financial institutions and regulators focused on responding to the COVID-19 pandemic, these long-awaited revisions to the FFIEC Manual received scant attention. Although addressed to examiners, the Manual was and continues to be a window into how regulators understand BSA requirements and an expression of regulatory expectations.

The revisions to the Manual were the work of an interagency BSA/AML Working Group (the “Working Group”) composed of FinCEN and the federal depository institution regulators.[4] The Working Group is charged with promoting BSA/AML compliance efficiency and fostering better communication between federally regulated depositary institutions and their regulators. This group has issued several joint statements related to BSA/AML compliance on issues including the Customer Identification Program rules for premium finance lending,[5] the sharing of BSA/AML compliance resources,[6] the promotion of innovation in BSA/AML compliance,[7] the use of a risk-focused approach to BSA/AML compliance,[8] and the provision of services to hemp-related businesses.[9] Other joint statements from the Working Group are expected.

Initially, it was anticipated that the Working Group would put forward a revision of the entire Manual as early as 2018, but that did not occur. Last year, members of the Working Group indicated that the revisions to the Manual would be not be rolled out all at once, as with revisions to previous editions to the Manual. Instead, the revisions would begin with the first section—which was included in the recent revisions—and additional revised chapters would follow.

Importantly, Working Group members had indicated that they would try to ensure that the revised language would differentiate between what examiners should consider a regulatory or legal requirement as opposed to guidance. This approach can been seen in the newly revised chapters. For instance, the previous language on what independent testing should include has been revised to what testing may include in the newly issued guidance.[10]

Turning to the recent revisions, the overarching theme of these revisions is to reinforce and better describe the risk-based nature of BSA/AML compliance and the examination process. Consistent with its July 22, 2019 joint statement on using a risk-focused approach, “[m]any of the revisions [to the Manual] are designed to emphasize and enhance the Agencies’ risk-focused approach to BSA/AML supervision.”[11] Some of the key changes in the recent revisions include:

  • The core BSA/AML program elements must be examined in every examination cycle.[12]
  • Beyond the core elements and even in examining the core elements, the extent of an examination will depend on the risk profile and the quality of the risk management processes of the bank.[13] The scope of a BSA/AML examination “varies by bank and should be tailored primarily to the bank’s risk profile,” as well as the bank’s size, complexity, and organizational structure.[14]
  • Examiners may rely on the quality of the independent testing function as well as the risk assessment in scoping the examination.[15]
  • The prior version of the Manual stated that it is sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.[16]  The Revised Manual, however, provides that there is no requirement to update a BSA/AML risk assessment “on a continuous or specified periodic basis.”[17]
  • The examples of specific products and services, customer and entity types, and geographic locations to consider in the risk assessment (pp. 18-22 of the 2014 Manual) have been eliminated. These may have been considered dated, incomplete, or too prescriptive.
  • There is a more expansive discussion given to examiners on the types of compliance testing to conduct on a risk basis.[18]
  • While always the practice, the Manual now explicitly states that the examiners should discuss the preliminary results of an examination with the bank before issuing a report.[19]
  • An OFAC review is not required during every examination cycle.[20]

The revisions are not intended to set forth any new requirements and none of the recent revisions should come as a surprise. Instead, the revisions reflect further clarification of BSA/AML requirements, regulatory expectations, and examination practices that have been communicated through the examination process and in public fora by the regulators for many years. The changes also reinforce that the examiners are encouraged to exercise discretion in the execution of the examinations based on the risk profile and compliance history of the institution.

__________________

   [1]   The member agencies of the FFIEC are the Federal Reserve Board (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”), the National Credit Union Administration (“NCUA”), and the Consumer Financial Protection Bureau (“CFPB”).

   [2]   Federal Financial Institutions Examination Council, Interagency Statement on April 2020 Updates to the Bank Secrecy Act/Anti-Money Laundering Examination Manual (Apr. 15, 2020), https://www.ffiec.gov/press/PDF/Interagency%20Statement.pdf; Federal Financial Institutions Examination Council, Bank Secrecy Act/Anti-Money Laundering Examination Manual (Apr. 2020), https://www.ffiec.gov/press/PDF/FFIEC%20BSA-AML%20Exam%20Manual.pdf (the “Revised Manual”). While customer due diligence (“CDD”) is also a required element of a BSA/AML program, it is addressed in a later section of the Manual that was not revised at this time.

   [3]   See Federal Financial Institutions Examination Council, Customer Due Diligence — Overview (May 5, 2018), https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20-%20Overview%20and%20Exam%20Procedures-FINAL.pdf.

   [4]   Those regulators are the FRB, the FDIC, the NCUA, and the OCC.

   [5]   Working Group, Order (Sept. 27, 2018), https://www.fdic.gov/news/news/financial/2018/fil18052a.pdf.

   [6]   Working Group, Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20181003a1.pdf.

   [7]   Working Group, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing (Dec. 3, 2018), https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf.

   [8]   Working Group, Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/news/news/press/2019/pr19065a.pdf.

   [9]   Working Group, Providing Financial Services to Customers Engaged in Hemp-Related Businesses (Dec. 3, 2019), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20191203a1.pdf.

[10]   Revised Manual at 24-26.

[11]   Federal Financial Institutions Examination Council, Interagency Statement on April 2020 Updates to the Bank Secrecy Act/Anti-Money Laundering Examination Manual at 1 (Apr. 15, 2020), https://www.ffiec.gov/press/PDF/Interagency%20Statement.pdf

[12]   Revised Manual at 10, 18.

[13]   Id. at 1.

[14]   Id.

[15]   Id.

[16]  Federal Financial Institutions Examination Council, Bank Secrecy Act/Anti-Money Laundering Examination Manual at 24 (2014), https://bsaaml.ffiec.gov/docs/manual/BSA_AML_Man_2014_v2_CDDBO.pdf.

[17]   Revised Manual at 15.

[18]   Id. at 24-28.

[19]   Id. at 35.

[20]   Id. at 2.

The following Gibson Dunn lawyers assisted in preparing this client alert: Matthew Biben, Stephanie Brooker, Joel Cohen, M. Kendall Day, Mylan Denerstein, Arthur Long, Joseph Warin, Linda Noonan, and Chris Jones.

Gibson Dunn has deep experience with issues relating to the defense of financial institutions. For assistance navigating white collar or regulatory enforcement issues involving financial institutions, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Financial Institutions Group, or the authors:

Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Stephanie Brooker –  Washington, D.C. (+1 202-887 3502, [email protected])
Joel M. Cohen – New York (+1 212-351-2664, [email protected])
Kendall Day– Washington, D.C. (+1 202-955-8220, [email protected])
Mylan L. Denerstein – New York (+1 212-351-3850, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Joseph Warin– Washington, D.C. (+1 202-8870-3609, [email protected])
Linda Noonan – Washington, D.C. (+1 202-887-3595, [email protected])
Chris Jones* – San Francisco (+1 415-393-8320, [email protected])

*Mr. Jones is admitted only in New York and Washington, D.C. He is practicing under the supervision of Principals of the Firm.

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.