CMS Case Study

Citizens Bank and Trust 2020-2021 Risk Assessment Summary

Audit Area

BSA

Risk Factor

Score

Definition (score range)

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible.

Significant regulatory requirements are evident; however, regulatory expectations are clearly outlined in the BSA/AML Examination Manual Violations if any will be technical in nature. Complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist. Employees attend BSA training, and attendance is monitored; however, the quality and thoroughness of the training program is not adequate. The BSA Officer attends training.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Noncomplex systems and operations are seasoned, with well established back up routines. Well-defined BSA training program for all applicable employees, and completion of this training is monitored. The BSA Officer attends training in order to fulfill all responsibilities, as well as to monitor the overall training program of the Bank.

The Bank Secrecy Act (BSA) presents a high degree of compliance requirements, and violations of these requirements can result in significant penalties to the Bank. Furthermore, noncompliance exposes the Bank to a risk of loss from theft, fraud, money-laundering, and other illegal activities. The Bank has performed satisfactory in the last FDIC Safety and Soundness Examination (January 2019) and the last BSA internal audit (2019) included five recommendations. Compliance with the BSA involves both automated processes and manual functions. The activities required for compliance are numerous and they require attention from personnel who possess knowledge of BSA issues and experience in identifying situations that may require further action, as well as experience in taking such action. The Bank utilizes the BAM+ BSA/AML software to monitor, detect and resolve suspicious activity. Limited procedures have been performed by Compliance as independent validation testing of BAM+ after implementation. The Bank employs a BSA training program in an effort to ensure that its personnel possess the necessary knowledge to maintain compliance. The Bank uses the BAI training program. The training is automated and employees are educated on different elements of the BSA program commensurate with their job responsibilities. Records of completion are maintained electronically and monitored by the BSA Officer (Emily Siprelle). Additionally, the BSA Officer or the Compliance Officer* (Karen Mitchell) attends off-site BSA training annually. *The Bank has two Assistant BSA Officers: Denise Robinson and Karen Mitchell. The Bank adheres to a strong BSA policy and procedures for ensuring compliance with the regulation requirements. The Bank utilizes the BAM+ BSA/AML software to monitor, detect and resolve suspicious activity. Employees receive appropriate levels of training, based on their job responsibilities. The BSA Officer and Assistant BSA Officer receive appropriate training. Monitoring procedures are in place and occur at several different levels, including oversight by the BSA Officer. The BSA Officer's position is approved on an annual basis by the Board of Directors. The Board is kept informed of the status of the Bank's BSA program. There have been no previous regulatory findings of significance in the BSA area. However, the most recent internal audit (2019) resulted in five recommendations including a recommendation to enhance the BSA Risk Assessment.

Compliance

20

Complex manual or automated systems are new, critical to management

Nature of Operations

21

decision making, or important to product delivery.

Minimal BSA training is required, and attendance is not adequately monitored. BSA Officer rarely attends training and continuing education programs.

Training & Development

9

Controls are nonexistent or known to be weak.

There is no basis for control assessment, or they are thought to be weak.

Controls are strong or adequate.

Internal Controls

17

Major changes since last audit are anticipated this year or not recently reviewed. Management lacks experience or places low priority on internal controls.

Minor changes since last audit are anticipated this year.

No changes since last audit are planned this year.

Because BSA is somewhat dynamic, the BSA Policy and Procedures are updated as needed in order to maintain compliance.

Changes to systems, processes, or procedures

13

Management has average experience.

Management is experienced and has high priority on controls.

Members of management have achieved their positions within the Bank because of their level of knowledge, demonstrated skills, and experience within the banking industry. The BSA Officer and Assistant BSA Officer have extensive experience in BSA Compliance Management. A strong emphasis is placed on maintaining a sound control environment.

Management

9

89

Risk Score

- 25 -