Probably like all auditors, I have always been under the assumption that BSA required annual audits. In performing a BSA audit, I was discussing training with the BSA Officer. When looking at the regulation, specifically FDIC reg 326.8(c)(2) which states The complaince program shall provide for independent testing for complaince to be conducted by bank personnel or by an outside party. I could not find anywhere in the reg where it required annual. While I know that the examiners want you to do this annually, where is this required by regulation?

I don't think there's anything in the Regs that state it must be annual but more periodic. Also, I think regulators think at least annually is sound business practice. Personally as my bank's BSA Officer, I want to conduct training at least annually to ensure that employees understand the reg and it's/their obligations (especially since I can be personally liable for issues/violations).

For me BSA is audited at least annually because it is considered to be a high risk audit area. If it was not audited annually, the OCC lead examiner I work with would be asking me a lot of questions come time for the next exam.

I believe kansayaku nailed it. Unless you have zero risk in this area you have to recognize that it is a highly scrutinized and detailed regulation as well as having some degree of subjectivity. Risk-based rules will dictate an annual or more frequent review, IMHO.

The one thing you don't want is for the federal or state examiners to come in and find you have a problem with BSA. You want to find it and correct it first. We didn't have a BSA audit for over a year and in that time we had a new BSA Officer. Let's just say that when the examiners found problems and the BSA Officer's excuse was that he wasn't aware of specifics of the regulation, they were not impressed in the least. We now have a new BSA Policy and BSA procedures that are followed religiously. We also have BSA training for all employees on a quarterly basis. I am the Bank's Auditor and I complete a BSA/Suspicious Activity Audit on a semi-annual basis. I hope to one day have to complete this audit on an annual basis. But, as long as I find even minor problems with BSA, our management will insist that the audit remains at least semi-annually. If problems develop, I have been informed that the audits could become as frequent as monthly. Count you lucky stars if you do it once a year, there are those of us out here that don't have that luxury. lol. By the way, the BSA Officer we had, is no longer with the bank. Thought you might want to know that tidbit of information. And we were very lucky to not be fined, but were allowed to correct the problems. It was the first bad BSA exam we had so they were a bit easy on us, but we know they won't be next time. There is absolutely no way a bank wants to be found to have a pattern or practice of BSA violations and with the bad exam on our record it could easily happen. The more frequent audits keep everyone on their toes and hopefully in compliance.

While I agree with everything that has been stated, in my risk assessment, my BSA did not come at the top of the list - it is about middle ways. There were more riskier areas which needed to come before BSA. I know that Examiner's like to see BSA done on an annual basis (I used to be an FDIC examiner), but my point was it does not say anything in the regulation itself, only in the examiner's manual.

This brings up a point about annual audits. Now that the regulators want to see a risk assessment performed for the audit departments schedule, the risk assessment might not produce the results that BSA, Invesments, ALM, Trust, IS be audited once a year. I have spoken to examiners about this and they just say that they would like to see some auditing performed on certain areas within these required fields.

Anyway, I was just curious about the regulation not specifically stating that BSA has to be audited annually. While my risk assessment does not show BSA to be audited annually, we have done certain parts of BSA this year. My point being, the purpose of the risk assessment is to identify those areas with the greatest risk so they can be audited first. When I spend time with the limited staff that we have auditing those areas that do not have the greatest risk in my insitiution, less time is spent on the areas that have the greatest risk.

I guess I will find out when we get examined.

As a previous Examiner, I would say contact your regulatory agency and ask for their interpretation of the regulation. The regulatory agency I was with first said it was a rolling 18 months, but more recently has gone to every 12 months. Since the reg does not say specifically, I would go directly to the regulator.

I think Andy and the other responders bring up the best point -- which is that an annual assessment has come to be expected, so you do it.

I'm more on the IT-related side and the lead examiner during an IT examination mentioned during an exit discussion with my boss and a division head present that no "annual" information security review of any type, nor any "annual" review of disaster preparedness status was being performed or "reported" to the Board. I, like you, protested that nowhere did it say "annual", but later the division head pulled me aside and said, "They're holding all the aces, so you don't question the condition of the deck". In other words, when a regulatory issue is "hot" -- which BSA/AML/PATRIOT/OFAC is -- you are expected to target that area as a high-risk area.

What could present more risk than losing your FDIC insurance and your charter? That's what can happen if the bank is convicted of money laundering, and that can happen if your BSA/AML program is so weak that it allows a money laundering scheme to go undetected.

I would agree with Kansayaku, BSA/AML is at the top of the examiner's hit parade. We just went through an OCC exam and they expected audit to have looked at BSA within the last 12 months, based on the risk. I tend to agree with them. It is not only the reputation risk, the fines, but also the fact that any expansion plans your company may have could be halted, should you have any BSA issues. Other focuses for this exam were: audit, compliance and loan review as internal controls. Flood was once again a hot topic.

And just to throw my worthless 2 cents in, our Internal Audit department reviews BSA/AML/CIP forms, reports and logs on a quarterly basis and I perform a full blown annual review. The examiners (Nov 2003)were happy with this approach.

I think this has expanded from the original post of "surprised that the BSA regulation did not require an annual audit".

However, the whole reason for an audit department to perform a risk assessment is to evaulate YOUR BANK as to the areas which pose the most risk. Not every bank will be the same. Depending on what type of controls are in place in YOUR BANK - you may rate an area less if there are adequate controls in place. For example, wire transfer was on the top of my list from concerns as to the internal controls that were in place surrounding this area. With only two auditors in my department (including me)in a $650 million bank, the only way to schedule is by risk assessment.

I agree that BSA is a HOT topic - but you also have to access the geographical area of your Bank. If you State is listed as low for having money laundering activity and you feel that your controls in place for BSA are very adequate, and other areas in your bank pose more risk - then I think that is ample enough reason not to have BSA listed at the top of your risk assessment.

It might be helpful to note that question 52 of the FDIC's recently revised BSA examination procedures is:

Determine if the audit/independent review is conducted at least annually.

Each agency has "program" regulations. They require supervised institutions to have a BSA compliance program that includes four specific elements and a CIP. The original post correctly cited FDIC, not BSA, regulations.

Each agency supports its program regulations with examination procedures. The examination procedures describe what the agency is expecting to see in an acceptable BSA compliance program. There are dozens of things in those examination procedures that are not covered in the regulations; BSA regulations do not set the standards for what is an acceptable compliance program, the examination procedures do. Failing to adhere to the concepts set out in the examination procedures is a lay down violation of the program regulations. If you fail to conduct an annual BSA examination and the examiners realize it, you will be cited for an indefensible violation of law.

Determining the frequency of a BSA examination is outside any knowingly designed risk assessment process, unless you are considering whether it should be done more frequently than annually.

Wow! That has to be the best answer I've ever seen to this question!!

So how would they site an 'indefensible violation of law' if it does not state (in the FDIC Regulations) that BSA requires an annual audit. While I do perform an annual audit of BSA (at least parts of it) - I am just playing devils advocate. In order to site a violation of law, they have to have a law for citing it. While they may strongly recommend that you do one - or they could site you for lack of safety and soundness standards (Under FDIC's 364) in not performing annual audits - I do not see how they could cite it on Part 326.

If you have a squeeky clean audit in this area when you do get around to doing a complete review, you can probably prove that your risk assessment of this area is on target. If your review finds numerous (or probably even only one) finding then of course they will point out that a full blown annual review is necessitated. And you may get written up for not adequately assessing the risk.

We do an annual review of BSA, OFAC, Patriot, etc. and we are in a non-metropolitan, low money laundering area. Our risk of money laundering is low, but our risk of noncompliance in these areas is greater.

You are probably right about the violation of law or regulation, but look at it this way. You can go along for years with no BSA problems, and no annual BSA reviews, but if somewhere down the line something goes wrong, the first place they will zero in are your policies and your periodic reviews.

Have any of you ever had the examiners come in and perform the BSA exam when you had your internal audit scheduled? If so, did you push back your internal audit or did you begin your audit as soon as the examiners left?

We had a BSA exam third quarter of last year and I usually perform my annual audit in October, but since the examiners JUST conducted their exam, I pushed mine back a few months (4 months) because of overlapping. Any thoughts on this?

I did exactly that. I followed up on recommendations they made immediately and then did a full audit 3 - 4 months later (as my annual check). When they returned to our bank just less than 18 months later, that "flew" with the examiners (we are an FDIC bank).

Cool! Thanks.

I had completed the audit/exit interview and had submitted the draft audit report when the examiners were present at my bank during the 3rd qtr. of 2003. They reviewed my workpapers and concurred with my findings. But they also performed their BSA audit procedures also.

You indicated the flood was a hot topic. FEMA has stated that non-compliance in the flood insurance area is usually due to failure to maintain converage when needed during the term of the loan. It seems that initial flood certifications at origination tend to be in compliance for the most part, but failure to renew policies down the road is a problem. How does your experience compare to this perspective?