Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual

BSA/AML Compliance Program Structures — Overview

business with the organization in multiple business lines or jurisdictions. 168 Regardless of how a consolidated BSA/AML compliance program is organized, it should reflect the organization’s business structure, size, and complexity, and be designed to effectively address risks, exposures, and applicable legal requirements across the organization. A consolidated approach should also include the establishment of corporate standards for BSA/AML compliance that reflect the expectations of the organization’s board of directors, with senior management working to ensure that the BSA/AML compliance program implements these corporate standards. Individual lines of business policies would then supplement the corporate standards and address specific risks within the line of business or department. A consolidated BSA/AML compliance program typically includes a central point where BSA/AML risks throughout the organization are aggregated. Refer to “Consolidated BSA/AML Compliance Risk Assessment,” page 24. Under a consolidated approach, risk should be assessed both within and across all business lines, legal entities, and jurisdictions of operation. Programs for global organizations should incorporate the AML laws and requirements of the various jurisdictions in which they operate. Internal audit should assess the level of compliance with the consolidated BSA/AML compliance program. Examiners should be aware that some complex, diversified banking organizations may have various subsidiaries that hold different types of licenses and banking charters or may organize business activities and BSA/AML compliance program components across their legal entities. For instance, a highly diversified banking organization may establish or maintain accounts using multiple legal entities that are examined by multiple regulators. This action may be taken in order to maximize efficiencies, enhance tax benefits, adhere to jurisdictional regulations, etc. This methodology may present a challenge to an examiner reviewing BSA/AML compliance in a legal entity within an organization. As appropriate, examiners should coordinate efforts with other regulatory agencies in order to address these challenges or ensure the examination scope appropriately covers the legal entity examined. Structure of the BSA/AML Compliance Function As discussed above, a banking organization has discretion as to how to structure and manage its BSA/AML compliance program. For example, a small institution may choose to combine BSA/AML compliance with other functions and utilize the same personnel in several roles. In such circumstances, there should still be adequate senior-level attention to BSA/AML compliance, and sufficient dedicated resources. As is the case in all structures, the audit function should remain independent. A larger, more complex firm may establish a corporate BSA/AML compliance function to coordinate some or all BSA/AML responsibilities. For example, when there is delegation of BSA/AML compliance responsibilities, and BSA/AML compliance staff is located within lines of business, expectations should be clearly set forth in order to ensure effective implementation of the BSA/AML compliance program. In particular, allocation of 168 For additional guidance, refer to the expanded overview section, “Foreign Branches and Offices of U.S. Banks,” page 164, and the Basel Committee on Banking Supervision’s guidance Consolidated Know Your Customer (KYC) Risk Management. .

FFIEC BSA/AML Examination Manual

156

2/27/2015.V2