The "4 Pillars" of BSA Compliance

Someone has to be assigned ongoing responsibility for ensuring compliance with the Bank Secrecy Act. This person should have authority, a budget and training necessary to get the job done - commensurate to the risks for the business.

The business needs to have written policies and procedures governing its actions. The policies and procedures, to be based upon a written assessment of risks to the business, should be tailored to the business. The business must meet any obligations for registration, documentation of transaction activity, obtaining customer identification and maintaining records, currency transaction reporting, monetary instrument logging, suspicious activity reporting, ongoing training, et cetera.

Naming a BSA officer and having written policies and procedures on a book shelf is meaningless if they are not actually implemented. And, most of us will readily admit, procedures are not implemented unless employees are trained, the training is kept current and relevant, and the employees are then managed according to the procedures. Each MSB must train ALL of its employees at least once per year on the basics of Bank Secrecy Act compliance and the specifics of the business' BSA related procedures. The amount and type of training should be appropriate to the risks faced by the business and must be documented.

The fourth pillar is "independent testing" of the compliance program. In order to be independent, the testing cannot be performed by the BSA Officer or by someone with direct responsibility for compliance. In order to be effective, the testing must be done by someone with knowledge of the Bank Secrecy Act.

In cases where a particular MSBs risk profile is low and even medium, it is appropriate for the independent compliance review to be conducted by a knowledgeable, independent party. That could be an employee of the business or even your brother-in-law that runs a convenience store that is an MSB on the other side of town.

If, on the other hand, your business is "high risk" based on its own risk assessment, then the independent review should be performed by an outside party with knowledge and experience. A consultant or auditor assisting MSBs with independent reviews could be available from a consultant, such as one of the businesses listed on the vendor pages here, or perhaps through your CPA or law firm. Your bank may also maintain a listing of entities from whom it accepts or prefers to receive independent reviews.

And, speaking of your bank, regardless of your own risk assessment, your bank may decide based upon its own assessment and policy that it wants to have an independent review for your business from an independent party other than an insider. In that case, you may try to persuade the bank that your risk assessment is valid and the outside expense unnecessary. If you can't persuade the bank, then you must weigh the costs and risks - obtain outside review as requested... or try to obtain a new banking relationship.

Complete the Independent Review Request form to initiate a discussion with MSB Compliance about independent review of your business.