Every two weeks I download from the FinCen website the 314(a) subject list and send to several people in our bank to verify if we are doing business with these people. I save this list of names from the FinCen website on my computer. It is password protected and when I send it via e-mail it is also password protected. I ask for responses from the people to let me know if they have any hits or not. I save their responses and place on a spreadsheet the date of the responses.

Should I destroy the file of names and have the people indicate to me they destroy the file also? I heard regulators have written up banks for keeping these files. If it is ok to keep, then how long should I keep them?

Thanks for your help.

Your IT Department should be checking your customer base and providing you with the results.
Other Department heads should not be receiving the list.
The list requires the highest confidentiality.
I keep them until my next exam and then destroy.

MagicCity - That is not ture. At my institution, IT does nothing with this. It is all the responsibility of the compliance department.
Baseballfan - We keep our results for the time required by our document destruction policy (as it varies by state). However, the list that we search against is usually saved for about a year and we have not been written up for it.

Our IT department also has nothing to do with this process. I dont keep the list at all. I have a document that I sign and date whether or not we had any hits or not and I keep the emails from the others who check their respective departments.

I download the list to my desktop and then upload it to my AML software to search our database. The software prints a certification for verification signing. I then delete the list from my desktop. I had an auditor caution me because I was not empting my trash after deletion. He said the lists were not to be saved or shared.

When the OTS was here for our BSA Exam they strongly recommened that I stop retaining a copy of the list. They said that I had secured it well but they did not think I should keep it. When I go to the website each week I print the screen that shows the list by date. I also have a form I fill out noting the FinCEN Tracking numbers and all the areas searched.

Dance 129 - It may not be true for your institution.
It is for mine.
The IT staff scrub the database and produce a report of possible matches for Compliance to review.
BSA and Beyonds process is another way I have done it.