Audit Program Bank Secrecy Act and Anti-money Laundering W/P DONE DATE REF. BY Section A - Administration Audit Objective Determine that the bank has developed, and administers and maintains a program that ensures and monitors compliance with the Bank Secrecy Act anti-money laundering regulations. Audit Program 1. Determine that the bank has implemented a compliance program designed to assure and monitor compliance with the recordkeeping and reporting requirements of the Bank Secrecy Act (BSA) and its anti-money laundering (AML) regulations. Determine that program policies and procedures are: Documented in writing. Approved by the board of directors and noted in the board minutes. Reaffirmed annually as required by policy. Updated to reflect changes in the law and operations. 2. Obtain and review the BSA/AML compliance program and determine that the contents of the compliance program provide for the following: System of internal controls to ensure ongoing compliance. Independent compliance testing conducted by either bank personnel or an outside party. Designation of a qualified individual(s) responsible for coordinating and monitoring day-to-day compliance. Training for appropriate personnel. 3. Determine that the bank's AML policies address the following: The various types of money laundering. Compliance with BSA and related AML laws and regulations. A "know your customer" program. High-risk activities, businesses, and foreign countries commonly associated with money laundering. 4. Determine that the board of directors has appointed a BSA/AML officer. Through discussions with the BSA/AML officer, determine and document the duties and responsibilities assigned to this position. If responsibilities for compliance with various aspects of BSA/AML have been delegated to other individuals or departments, determine and document their role. Audit Program Bank Secrecy Act and Anti-money Laundering 5. Determine that the bank provides periodic training for appropriate personnel regarding their responsibilities under BSA/AML. Training should include, but not be limited to, tellers, platform, lending personnel, trust personnel, wire room, and bookkeeping personnel. Note dates of training session performed during the audit period and determine that the frequency of the training is adequate and that training is ongoing. Review documentation relevant to the scope of training sessions and determine the adequacy of such training based upon the targeted audience. 6. Determine that the bank retains copies of the following records for a minimum of five years: Cash Transaction Reports (Form 4789). Exemption lists. Designation of exempt persons. Biennial filings. Annual reviews. Monetary instrument logs. Report of International Transportation of Currency or Monetary Instruments (Form 4790). NOTE: When a customer is removed from the exempt list, the request for exemption is to be maintained for five years after removal from the list. 7. Summarize results of testing and conclude as to whether the audit objective has been met. Section B - Customer Identification Program and Foreign Banking Relationships Audit Objectives To determine compliance with Section 326 of the USA Patriot Act, requiring financial institutions to implement a customer identification program. To determine compliance with foreign correspondent and private banking relationships and information sharing. Audit Program Customer Identification Program (CIP) 1. Determine whether the bank has developed and implemented a CIP for all new customers. 2. Obtain and review CIP policy/procedures. Verify compliance with the following requirements: Program is documented. Program is approved by the board of directors and is incorporated into the bank's BSA program. Program includes identification and verification of new accounts Audit Program Bank Secrecy Act and Anti-money Laundering recordkeeping and comparison against government list of known or suspected terrorists. USA Patriot Act 1. Determine whether the bank maintains correspondent account relationships with foreign banks. If so, ensure the bank prohibits foreign shell banks from maintaining a correspondent account. If not, determine whether the bank's BSA/AML policy/procedures address this area. 2. Determine whether the bank maintains private banking accounts. If not, determine whether the bank's BSA/AML policy/procedures address this area. 3. Summarize results of testing and conclude as to whether the audit objective has been met. Section C Office of Foreign Assets Control Audit Objective To determine that the bank complies with the Office of Foreign Assets Control (OFAC) regulations prohibiting specific transactions with targeted countries and individuals or entities that are known to be acting on behalf of targeted countries. Audit Program 1. Determine that the bank has written policies and procedures for complying with OFAC laws and regulations. 2. Determine who has been delegated responsibility for compliance with OFAC and for overseeing blocked funds. 3. Determine and document the procedures for filtering transactions for possible OFAC violations as follows: New deposit accounts. Established deposit accounts. New loans. New trust relationships. Wire transfers. Letters of credit. 4. Determine and document procedures for maintaining a current list or database of blocked countries, entities, and individuals and disseminating such information throughout the bank. Ensure the list/database is up-to-date with foreign countries that the United States has imposed economic sanctions. Ensure the list/database contains specific sanctions by each individual foreign country, with a synopsis of the types of activities prohibited or severely limited. Audit Program Bank Secrecy Act and Anti-money Laundering Confirm the availability of the list/database to deposit, lending, wire, and operational personnel. 5. Verify the bank rejects funds transfers that are remitted (outgoing): By or on behalf of a blocked entity or individual. To or through a blocked entity. In connection with a transaction in which a blocked entity or individual has an interest. 6. Verify that reports on rejected transactions are sent to OFAC within 10 days and include the following: Name and address of the financial institution requesting the transfer. Date and amount of transfer. Photocopy of the transfer or payment. Reason for rejection. Name and telephone number of compliance personnel at the bank who has knowledge of the transaction. Name and address of the beneficiary bank. 7. Ensure bank procedures require the following when a payment order governed by OFAC is received (incoming): The bank accepts the instruction. Debits the customer's account. Blocks the payment on the books. NOTE: The bank may not reject the instructions and cannot accept a customer's cancellation of the original instructions. "Suspense" accounts should not be used. The only manner that the bank can process a transfer related to a targeted country is if the underlying transaction is authorized by general or specific license from OFAC. 8. Ensure that procedures require that transferred funds are blocked and placed in interest bearing accounts that the bank maintains an audit trail. 9. Verify that if the bank is holding blocked property, it reports to OFAC such property within 10 business days from the date that the property becomes blocked along with a copy of the transfer instructions. 10. Review any reports of blocked funds remitted during the audit period and verify the following has been provided: Financial institution's name and address. Identification of the property. The owner of the account. Property address and location. Account number. Value of the account. Blocking data. Photocopy of the transfer or payment instructions. Audit Program Bank Secrecy Act and Anti-money Laundering Confirmation that the funds have been deposited into a blocked account. The identity of the individual or entity subject to be blocking should be clearly identified. Name and phone number of compliance personnel at the bank who has knowledge of the transaction. Date of report. 11. If blocked property is maintained, determine that an annual report of blocked property held as of June 30 is filed with OFAC by September 30 using Form TDF 90-22.50. 12. Determine the bank releases funds from accounts that have been blocked only with specific authorization from the U.S. Treasury Department. 13. Determine that records relating to blocked property are retained for five years after the date property is unblocked and are made available to the U.S. Secretary of the Treasury upon request. All other records must be retained for five years after the date of the transaction. 14. Determine the bank is prepared to report to OFAC complete information relative to any transaction or property in which any foreign country or any foreign national has any interest in, including books of accounts, contracts, letters, or other papers connected with any such transaction. 15. Summarize results of testing and conclude as to whether the audit objective has been met. Section D - Funds Transfers Audit Objective To determine that procedures are in place to ensure compliance with recordkeeping requirements for funds transfers in the amount of U.S. $3000 or more. Audit Program Suspicious Funds Transfer Monitoring 1 Determine and document the procedures in place to monitor for accounts with frequent cash deposits and subsequent wire transfers of funds to a larger institution or out of the country. 2. Determine and document the procedures in place to monitor funds transfer activity for unusual patterns that might not be consistent with the nature of the business or occupation of the customer. Ensure written procedures have been developed, and include the following in your review: The method for capturing the data to be analyzed manual or automated. The frequency at which the captured data is compiled and submitted to the BSA officer for review. Include the scope of the BSA officer's review and action taken when unusual patterns are identified that require additional research (e.g., additional research of customer activity, knowledge of Audit Program Bank Secrecy Act and Anti-money Laundering customers' business, involvement of account officer, or suspicious activity reporting.) 3. Determine that the wire transfer database used for analysis by the BSA officer is complete. If the process is manual, select a sample of wire transfers (incoming and outgoing) from the wire transfer request forms and ensure the wires were properly entered into the manual database. If the process is automated, select a sample of wire transfers (incoming and outgoing) to ensure system interfaces are working properly. 4. Review the BSA officer's periodic analysis of wire transfer activity. Discuss with the BSA officer the nature of the analysis performed, and ensure it considers, at a minimum, the following red flags: A high volume of international wire activity processed by the bank. Customers sending/receiving high volumes of wires, both domestic and international. Customers sending/receiving wires from foreign/unregulated money exchange houses. Customers sending/receiving wires from non-cooperative countries. Noncustomer activity, including pay-upon-proper-IDs. Unusual wire activity, such as customers receiving small dollar wires followed by large outgoing wires. High volume of wires for whole dollar amounts. 5. Review the results of the BSA officer's monitoring procedures and ensure monitoring is adequately documented and contains evidence of appropriate research. In addition, ensure that conclusions are well documented and that SARs are filed, if appropriate. 6. Summarize results of testing and conclude as to whether the audit objective has been met. Section E - Filing of Currency Transaction Reports (CTRs) and Currency and Monetary Instrument Reports Audit Objective To determine that adequate procedures are in place to ensure the identification and reporting of currency transactions greater than U.S. $10,000 to the U.S. Internal Revenue Service (IRS). Audit Program 1. Determine if the bank has received a U.S. Treasury Department targeting order. If it has, consider scope modifications. 2. Document the process followed to ensure all reportable transactions are identified, being sure to include the following information: Audit Program Bank Secrecy Act and Anti-money Laundering How tellers process cash transactions to ensure transactions >$10,000 are captured by the system as reportable transactions. Determine whether currency/coin exchanges are processed to ensure these amounts are captured and aggregated with other cash-in and cash-outs of the customer (i.e., customer deposits to an account and obtains a coin order.) The various BSA reports with an explanation of how each report is used. NOTE: Determine whether exception reports are available and whether they are being used and reviewed regularly. The process management uses to ensure a properly completed CTR is filed on time. The process for correcting currency transaction report errors before filing with the IRS, including procedures for tracking errors by branch/employee, and action taken to address training issues. 3. From the applicable system reports used by management to identify reportable transactions, randomly select 20 cash transactions greater than $10,000 from the most recent six-month period. Ensure that CTR forms were filed for all reportable transactions, or that reasons for not filing a CTR are documented and are reasonable (i.e., exempt transaction; not a cash transaction.) In addition, ensure CTRs are completed in accordance with the guidelines. 4. Review the CTRs selected in Step 3 above and select 10 additional CTRS filed by the bank in the most recent 6 month period. Include different types of reportable transactions and CTRs originated from various sources. Ensure that: The most recent version of the IRS form is in use. All applicable areas of the CTR form were properly completed. Each CTR was signed and dated by the preparer and reviewer. The CTR was filed within 15 calendar days following the date of the transaction. 5. Review all correspondence from the IRS or Treasury regarding incorrect or incomplete CTRs returned for corrective action since the last audit. Ensure the bank has implemented appropriate corrective action and filed the report within 20 calendar days. 6. Determine whether the bank has physically transported currency or monetary instruments totaling more than $10,000, on its own behalf, into or out of the United States. If so, verify that a Currency and Monetary Instruments Report - Form 4790 was filed with the U.S. Customs Service as follows: (31 CFR 103.25) The bank filed Form 4790 with the Commissioner of Customs at the time currency or other monetary instruments exceeding $10,000 was transported, mailed, or shipped from the United Audit Program Bank Secrecy Act and Anti-money Laundering States to any place outside the United States, or into the United States from any place outside the United States. The bank filed Form 4790 within 15 days after receipt when it received U.S. currency (or other monetary instruments) in an aggregate amount exceeding $10,000 on any one occasion, which was transported, mailed, or shipped to the bank from any place outside the United States, in which a form had not previously been filed. 7. Determine whether there is a procedure to identify and report suspicious transactions or pattern of activity to the BSA officer. 8. Determine whether the bank performs a periodic review of currency shipments to and from the Federal Reserve Bank, correspondent banks, and between branches over a period of time (at least 3 months) to determine that the volume appears reasonable. 9. Summarize results of testing and conclude as to whether the audit objective has been met. Section F - Exemption List and Designation of Exempt Persons Audit Objective To determine that exemption procedures are in compliance with the administrative exemption rules. Audit Program 1. Determine whether the bank maintains a centralized list of customers who are exempt from CTR requirements. 2. Obtain and review the centralized list to ensure that only the following permitted exemptions are included: Domestic banks. Federal, state, and local government agencies and any entity exercising governmental authority (powers to tax, exercise the authority of eminent domain, or exercise police powers). Any entity listed on the New York Stock Exchange, American Stock Exchange, or NASDAQ Stock Market (franchises are not included.) Subsidiaries of a listed entity (provided the listed entity owns 51 percent.) Non-listed businesses (includes franchises of a listed business.) Businesses that make frequent cash withdrawals for payroll purposes. 3. Review the bank's "designation of exempt persons" procedures for adequacy. 4. Select a sample of 10 "exempt persons" exempt since the prior audit from the centralized list. Include each type and test for compliance with the exemption rules, as follows: Audit Program Bank Secrecy Act and Anti-money Laundering Domestic Banks, Government Agencies, Listed Businesses and Subsidiaries of Listed Businesses Determine that the "designation of exempt persons" was made by filing a single CTR and the Designation of Exempt Persons form (TDF 90-22.53.) The designation of exempt persons was filed no later than 30 days following the first transaction in excess of $10,000. NOTE: All cash transactions are exempt and the entity need not have an account relationship. Non-Listed Businesses and Payroll Customers 1. Determine that the designation of exempt persons was made by filing a Designation of Exempt Persons form (TDF 90-22.53) and the account holder has met the exemption criteria as follows: Has maintained a transaction account for at least 12 months. Had frequent currency transaction more than $10,000 or withdrawals in excess of $10,000 in currency to pay employees in the U.S., as applicable (eight times in a 12 month period). Is incorporated or registered as an eligible business in the United States. NOTE: In determining the qualification of a customer as an exempt person, a bank may treat all exemptible accounts as a single account. All accounts of the exempt person become exempt and only transactions conducted through an exempt account(s) are exempt from the reporting requirements. NOTE: A sole proprietor may be treated as a non-listed business or payroll customer if it otherwise meets the requirements and the account(s) is used for business purposes. 5. Summarize results of testing and conclude as to whether the audit objective has been met. Section G - Exempt Account Reviews, Biennial Renewals, and Monitoring System Audit Objectives To determine that periodic reviews of exempt account holders are performed to ensure that only properly qualified account holders remain exempt and that there is a system in place to monitor accounts of exempt persons for suspicious activity. Audit Program 1. Obtain and review the bank's policies and procedures for the annual review and biennial renewals of exempt persons. Audit Program Bank Secrecy Act and Anti-money Laundering 2. Determine that the bank has established procedures to review and verify information supporting each designation of an exempt person at least once each year as follows: Listed Businesses/Subsidiaries of Listed Businesses Ensure that the parent company of a listed business remains listed on the stock exchanges. Non-Listed Businesses and Payroll Customers Ensure the account holder continues to meet the eligibility requirements for an exemption as follows: Conducted frequent transactions > $10,000. Is still duly incorporated or organized in accordance with eligibility requirements. 3. Determine and document the bank's procedures for monitoring all accounts of non-listed businesses and payroll customers for suspicious activity. 4. Determine that the bank submits a biennial filing with the U.S. Treasury to renew the exempt status of non-listed businesses and payroll customers (designation of exempt persons) as follows: The designation is renewed beginning on March 15 of the second calendar year following the year in which the first designation of such customer as an exempt person is made, and every other March 15 thereafter. The renewal includes a statement certifying that the bank's system of monitoring transactions in currency of an exempt person for suspicious activity has been applied as necessary, but at least annually, to the account of the exempt person to whom the biennial renewal applies. The renewal includes information about any change in control of the exempt person involved of which the bank knows (or should know based on its records). 5. Select a sample of exempt account holders being sure to include each type and review the documentation used for the annual review and biennial renewal, as applicable: Annual Review - Listed Business Ensure the parent company remains listed on the stock exchange as outlined in Step 2. Annual Review - Non-Listed Business and Payroll Customer Ensure all accounts of the account holder have been monitored for continued eligibility and suspicious activity as outlined in Step 2. Biennial Renewal - Non-Listed Business and Payroll Customer Ensure a biennial renewal has been filed certifying the monitoring of accounts of the account holder for suspicious activity as outlined in Step 4.