CrossCheck Compliance can assist with AML/BSA compliance through AML program design, review, and audit.
AML Program Requirements
The regulation requires residential mortgage lenders and originators (RMLOs), as defined in the regulation, to establish AML programs that include the following “four pillars” of AML:
- Policies, procedures and internal controls
- Designation of an AML compliance officer
- Ongoing training
- Independent testing
AML Independent Testing
Our audit procedures are based on guidance provided by FinCen and the Federal Financial Institutions Examination Council (FFIEC) and are tailored to address the specific regulatory requirements of the institution. Our approach takes into consideration the differences between the regulatory requirements for banking institutions and non-depository institutions and includes the following:
- Evaluation of the overall integrity and effectiveness of the Bank Secrecy Act (BSA) / AML compliance program, including policies, procedures and processes, as well as technical compliance
- Review of the institution’s risk assessment for reasonableness by considering its risk profile including products, services, customers, and geographic locations
- Appropriate risk-based testing of the program with emphasis on high-risk areas, products, and services including requirements for a customer identification program (CIP), suspicious activity reporting (SAR), currency transaction reporting (CTR), CTR exemptions, and information sharing requests as applicable
- Review of the effectiveness of suspicious activity monitoring systems used for BSA/AML compliance
- Assessment of employee knowledge of regulations and procedures
- Evaluation of management’s efforts to resolve violations and deficiencies noted in prior audits and examinations
- Assessment of the adequacy, accuracy, and completeness of training programs
- Review of related record retention requirements
CrossCheck’s approach includes assessing the following:
- Risk Assessment: The first step in developing an efficient, cost effective AML Program is to understand the organization’s AML risk profile. CrossCheck will review the company’s risk assessment for adequacy and ensure it properly considers such things as the organization’s existing control environment, service offerings, geographical locations, customer base, volumes, etc. The results of the risk assessment are a key foundation of the AML Program.
- AML Program: CrossCheck will assess the program commensurate with the AML risk profile of the institution and assess whether it appropriately addresses the designation of an AML/BSA Officer, policies and procedures, ongoing training, etc. Testing of the following areas will also be considered when assessing the effectiveness of the institutions AML Program.
- Suspicious Activity Reporting: CrossCheck will review the written policies and procedures in place to monitor and detect potential suspicious activity. We will test the accuracy and timeliness of a sample of SARs filed as well as situations where activity was reviewed but a decision not to file a SAR was made. Testing will include ensuring that proper supporting documentation is retained and procedures for filing repeat SARs are effective and in compliance.
- Information Sharing (USA PATRIOT Act, Section 314(a) and (b)): Banks and RMLOs are required to designate a point of contact responsible for compliance with the information sharing requirements of the Act. CrossCheck will review written policies and procedures to ensure compliance and test to ensure reviews are performed in a timely manner, that they cover the appropriate timeframes, i.e. 12 months, and if positive findings are determined that they are reported to FinCen appropriately.
- Currency Transaction Reporting (CTRs) and Exemptions: Banks (depository institutions) are required to file currency transaction reports for cash transactions greater than $10,000 and maintain a list of any customers exempt from CTR reporting. CrossCheck will review procedures for aggregating and identifying transactions and will test a sample of recent CTRs for accuracy, timing, etc. CrossCheck will also review procedures for maintaining and documenting exempt customers as required.
- IRS Form 8300 Reporting: While RMLOs are not required to complete Currency Transaction Reports, they are required to report IRS Form 8300 for cash transactions over $10,000. We will ensure procedures include 8300 reporting requirements, and that reports are filed appropriately when and if applicable.
- OFAC Testing: CrossCheck will review the adequacy of procedures for ensuring compliance with OFAC requirements, that OFAC checks are performed, and that any potential OFAC suspects or ‘hits’ are reviewed and resolved appropriately.
- Customer Identification Program: When appropriate, CrossCheck will review the institution’s customer identification program and due diligence procedures for compliance with regulatory guidance.