Introductory BSA/AML Examiner School, Atlanta, CA

Bank of Smithville USA

Page 8

Appendix B APPARENT VIOLATIONS Inadequate system of internal controls for BSA compliance

Section 326.8(c)(1) of the FDIC Rules and Regulations requires that the written Bank Secrecy Act Compliance Program must provide for a system of internal controls to assure ongoing compliance. The mergers of Hill Bank and Community & Southern Bank (CSB) resulted in management’s decision to adopt Verafin as the automated monitoring system, the system utilized by Hill Bank. The volume of system-generated alerts, coupled with the lack of sufficient personnel resources, resulted in a significant backlog of alerts and cases. This backlog has resulted in systemic late submissions of SARs, with a large number of instances of SAR filings occurring several months after sufficient information had been gathered to determine the need for a SAR. The current review also identified numerous instances of the failure to file SARs for activity with no business or apparent lawful purpose or transactions designed to avoid CTR reporting requirements, primarily relating to the use of cashier’s checks. Most of these issues were related to the two merged institutions, whose outstanding cashier’s checks had not been reviewed, prior to the examination. Additional internal control issues are noted. Currently, management does not have an effective process to monitor customers that process POATM activity through the institution. In order to effectively monitor this activity, management needs to be able to isolate POATM transactions and review the relationship between incoming ACH credits and the transactions utilized to replenish the ATM. The EDD on high-risk customers, currently conducted annually, should be performed more frequently. Additional procedures should be performed to identify suspicious activity that is not alerted by Verafin, such as large one-sided transactions and large cash withdrawals on active accounts whose behavior has resulted in the suppression of alerts (i.e. cashier’s check account, IOLTA accounts, construction companies). BSA Officer Marks stated that the alert backlog had been eliminated and that significant progress had been made on both investigative and behavioral cases. She stated that the case backlog will be eliminated by December 31, 20XX. During the examination, she began the review and initiation of cases for larger outstanding cashier’s check relating to the merged institutions. BSA Officer Marks stated that she will implement the isolation of POATM activity in order to establish an effective monitoring process. Chairman/CEO George Smith instructed BSA Officer Marks to develop processes to detect suspicious activity that is not generating Verafin alerts. Failure to designate individual(s) responsible for BSA compliance Section 326.8(c)(3) of the FDIC Rules and Regulations requires that the written Bank Secrecy Act Compliance Program must provide for the designation of an individual or individuals to coordinate and monitor day-to-day compliance.