I'm just curious.... Where does it say in the FFIEC guidance that a "written" BSA policy is necessary?

I hope you're asking this because someone is questioning you & you need some written proof?

The first pillar is a BSA/AML compliance program. See pg 28 of the Exam manual.

"Management should understand the bank's BSA/AML risk exposure and develop the appropriate policies, procedures, and processes to monitor and control BSA/AML risks."

Pg 32

"Review of the bank's written policies, procedures, and processes is a first step in determining the overall adequacy of the BSA/AML compliance program"

"The BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes."

Your federal functional regulatory agency; e.g. FDIC, OCC, the Fed has "program regulations" that require you to develop a written BSA policy and have it adopted by your bank's board of directors. They have been in effect since April, 1987.

The specfic requirement does not come from the Bank Secrecy Act itself.

Ok thank you! This helps. I was actually wanting to compare the wording that the FFIEC uses in other areas. I know that we are required to have written procedures for BSA but I wasn't so sure if it was required for other things like wires. Apparantly we don't have a written policy for wires and the only thing I could see in the FFIEC Infobase regarding wires just says that the institution should have appropriate procedures in place..... I didn't see anything that said they had to be written (but I could be missing it). Although I would prefer that the bank have written policies and procedures, I wasn't sure if it was an actual violation if they didn't.

Not mentioning wire transfers in your policy would not be a "violation." However, based on the following, I agree that your policy should discuss your handling of wires.

The required elements of your policy are: individual responsible, internal controls, independent testing, and training. There are wide variations in opinions regarding the specific topics that should be addressed in a BSA policy. My suggestion is that everything covered as a core examination topic (per the Manual) should be mentioned in your policy if your bank engages in the activity. So, that would include:

* CIP (technically, it could be addressed in a separate AML policy instead)
* Customer due diligence (again, addressing it in an AML policy is an alternative)
* Suspicious activity reporting
* Currency transaction reporting
* Information sharing
* Purchase and sale of monetary instruments Recordkeeping
* Funds transfers recordkeeping
* Foreign correspondent account recordkeeping and due diligence
* Private banking due diligence
* Special measures
* Foreign Bank and Financial Accounts Reporting
* International transportation of currency or monetary instruments reporting

Others may follow saying what their examiners told them they had to put in the policy. This is an area where examiners are full of opinions...

Again, this list comes from the list of issues that are to be examined in a core exam. I simply think a bank should have a policy dealing with every issue that it knows will be examined in a routine exam. If more detail was sought, I would work from the list of topics addressed in an "expanded" examination, also per the Manual, not the personal opinion of any individual, examiner or otherwise.

Going through an IT Exam right now & they are digging into our Wires. Especially with all the fraud out there right now and the FFIEC guidance for "Supplement to the 2005 Guidance for Authentication in an Internet Banking Environment" ... a policy on Wires would be highly recommended.

I have a risk assessment I created I can share with you if you PM me your email.