Conduct a risk assessment of the financial institution
2
Identify high-risk operations (products, services, customers, and geographic locations)
3
Develop an institution-wide risk management and oversight process
4
Approval: Risk Management and Oversight Process
5
Check customer information program (CIP) procedures
6
Evaluate ongoing monitoring systems for suspicious transactions
7
Check if beneficial ownership information is maintained and updated regularly
8
Check if BSA/AML compliance program is tested by independent third-party auditor
9
Audit internal control systems for BSA/AML compliance
10
Approval: Internal Control Systems Audit
11
Review documentation and reporting of currency transactions over $10,000
12
Evaluate the BSA officer and his or her team’s qualifications and appropriateness for the role
13
Check training programs for BSA/AML standards and procedures
14
Approval: Training Programs
15
Check if corrective actions have been taken for previously identified deficiencies
16
Verify if activity logs and reports are correctly maintained for five years
17
Review the institution's procedures for the regular update of its compliance program
Conduct a risk assessment of the financial institution
In order to ensure compliance with FFIEC requirements, conduct a comprehensive risk assessment of the financial institution. This will help identify potential vulnerabilities and guide the development of necessary controls. Consider the institution's size, complexity, customer base, products, services, and geographic locations. What are the potential risks and their impact on the institution? How can these risks be mitigated? Use the Risk Assessment form field to document your findings.
Identify high-risk operations (products, services, customers, and geographic locations)
Identify and assess high-risk operations within the financial institution. These may include specific products, services, customers, or geographic locations that pose a higher risk of money laundering or illegal activities. Consider factors such as transaction volume, complexity, frequency, and nature. Are there any red flags? Use the High-Risk Identification form field to document your findings.
1
Products
2
Services
3
Customers
4
Geographic Locations
Develop an institution-wide risk management and oversight process
Develop and implement a comprehensive risk management and oversight process that covers all areas of the financial institution. This should include policies, procedures, controls, and monitoring mechanisms to mitigate identified risks. How can the institution ensure ongoing compliance and adapt to changing threats? Use the Risk Management and Oversight Process form field to document your plan.
Approval: Risk Management and Oversight Process
Will be submitted for approval:
Develop an institution-wide risk management and oversight process
Will be submitted
Check customer information program (CIP) procedures
Review the financial institution's customer information program (CIP) procedures for compliance with FFIEC requirements. This includes verifying the adequacy of customer identification, recordkeeping, and verification processes. Are all required fields captured and verified? Is there a risk-based approach in place? Use the Customer Information Program (CIP) Procedures form field to document your assessment.
Evaluate ongoing monitoring systems for suspicious transactions
Evaluate the financial institution's ongoing monitoring systems for detecting and reporting suspicious transactions. This includes reviewing processes for monitoring transaction activity, investigating alerts, and filing Suspicious Activity Reports (SARs) when necessary. Are the systems effective in identifying unusual activity? How are alerts handled? Use the Ongoing Monitoring Systems form field to document your evaluation.
Check if beneficial ownership information is maintained and updated regularly
Review the financial institution's processes for maintaining and updating beneficial ownership information. This includes identifying and verifying beneficial owners of legal entity customers. Are the processes in line with the requirements of the Customer Due Diligence (CDD) rule? How is beneficial ownership information obtained and verified? Use the Beneficial Ownership Information form field to record your findings.
Check if BSA/AML compliance program is tested by independent third-party auditor
Verify if the financial institution's BSA/AML compliance program is periodically tested by an independent third-party auditor. This ensures the effectiveness and adequacy of the program. Has an independent audit been conducted? How frequently are audits performed? Use the BSA/AML Compliance Program Audit form field to document audit details.
Audit internal control systems for BSA/AML compliance
Conduct an audit of the financial institution's internal control systems to ensure compliance with BSA/AML requirements. This includes reviewing policies, procedures, and practices for detecting and preventing money laundering and terrorist financing. How effective are the internal control systems? Are there any identified deficiencies? Use the Internal Control Systems Audit form field to document your audit findings.
Approval: Internal Control Systems Audit
Will be submitted for approval:
Audit internal control systems for BSA/AML compliance
Will be submitted
Review documentation and reporting of currency transactions over $10,000
Review the financial institution's documentation and reporting processes for currency transactions over $10,000. This includes Currency Transaction Reports (CTRs) and other required reports. Are all transactions properly documented and reported? Is there a process in place for reviewing and filing CTRs in a timely manner? Use the Documentation and Reporting of Currency Transactions form field to record your review.
Evaluate the BSA officer and his or her team’s qualifications and appropriateness for the role
Evaluate the qualifications and appropriateness of the financial institution's BSA officer and their team for their roles. This includes assessing their knowledge, experience, and training in BSA/AML compliance. Do they have the necessary expertise? Are they aware of the latest regulatory requirements? Use the BSA Officer and Team Evaluation form field to document your evaluation.
Check training programs for BSA/AML standards and procedures
Review the financial institution's training programs for BSA/AML standards and procedures. This includes assessing the adequacy and effectiveness of training materials, methods, and frequency. Are employees properly trained to identify and report suspicious activity? How is training documented and tracked? Use the Training Programs Evaluation form field to record your assessment.
Approval: Training Programs
Will be submitted for approval:
Check training programs for BSA/AML standards and procedures
Will be submitted
Check if corrective actions have been taken for previously identified deficiencies
Verify if corrective actions have been taken to address previously identified deficiencies in the financial institution's BSA/AML compliance. This includes implementing controls, updating policies and procedures, and providing additional training when necessary. Have the identified deficiencies been resolved? How were the corrective actions implemented? Use the Corrective Actions Verification form field to document your verification.
Verify if activity logs and reports are correctly maintained for five years
Verify if the financial institution correctly maintains activity logs and reports as required by FFIEC for a period of five years. This includes transaction records, monitoring reports, alerts, and other related documentation. Are the records organized and easily retrievable? How are electronic records secured? Use the Activity Logs and Reports Verification form field to document your verification process.
Review the institution's procedures for the regular update of its compliance program
Review the procedures of the financial institution for the regular update of its BSA/AML compliance program. This includes ensuring that policies, procedures, and controls are reviewed and updated to reflect changes in regulations, risks, and emerging threats. How frequently are updates conducted? Is there a process in place for communicating updates to employees? Use the Compliance Program Update Procedures form field to document your review.
