Skip to main content

Checking Your BSA Program Is More Important Than Ever

By William J. Showalter, CRCM; Senior Consultant, Young & Associates

Over the past year, we have seen at least 27 Bank Secrecy Act (BSA) enforcement actions from an array of financial institution supervisory agencies.  Banks of all sizes, including community banks, continue to be hit with cease and desist (C&D) orders, formal agreements, consent orders, and even civil money penalties (CMP).  Five of these actions involved monetary penalties of some sort totaling nearly $4 billion – all but about $109 million coming from one case with four federal agency actions against one bank, and one $100,000 CMP imposed against an individual for BSA noncompliance.  These enforcement actions remind us that even community banks and thrifts must have thorough and well-managed BSA compliance programs.

The enforcement actions do not spell out specifics of what the agencies found at each institution, but they do give us important insights into what the regulators will expect during your next BSA compliance exam.

Community banks should evaluate their BSA compliance programs in light of the corrective actions that these institutions are required to take.

Another important issue that financial institution management should remember is that the USA PATRIOT Act made BSA compliance as important as Community Reinvestment Act (CRA) compliance in getting an application approved.  The act adds BSA as a factor for consideration in merger transactions. The agency must take into consideration “the effectiveness of any insured depository institution involved in the proposed merger transaction in combating money laundering activities.”  This means that banks and thrifts must have more than a written BSA program.  They must be able to demonstrate that the program works.

BSA Compliance Programs

All insured banks and thrifts are required to develop, administer, and maintain a program that assures and monitors compliance with the BSA and its implementing regulations, including recordkeeping and reporting requirements. Such a program can help protect a bank against possible criminal and civil penalties and asset forfeitures.

At a minimum, a bank’s internal compliance program must be written, approved by the board of directors, and noted as such in the board meeting minutes. The program must include at least the following elements:

  • A system of internal controls to assure ongoing compliance
  • Independent testing of compliance
  • Daily coordination and monitoring of compliance by a designated person
  • Training for appropriate personnel
  • Risk-based customer due diligence/beneficial ownership procedures

Internal Controls

Senior management is responsible for assuring an effective system of internal controls for the BSA, including suspicious activity reporting, and must demonstrate its commitment to compliance by:

  • Establishing a comprehensive program and set of controls, including account opening, monitoring, and currency reporting procedures
  • Requiring that senior management be kept informed of compliance efforts, audit reports, identified compliance deficiencies, and corrective action taken – to assure ongoing compliance
  • Making BSA compliance a condition of employment
  • Incorporating compliance with the BSA and its implementing regulations into job descriptions and performance evaluations of bank personnel

Independent Testing of Compliance

The bank’s internal or external auditors should be able to:

  • Attest to the overall integrity and effectiveness of management systems and controls, and BSA technical compliance
  • Test transactions in all areas of the bank with emphasis on high-risk areas, products, and services to assure the bank is following prescribed regulations
  • Assess employees’ knowledge of regulations and procedures
  • Assess adequacy, accuracy, and completeness of training programs
  • Assess adequacy of the bank’s process for identifying suspicious activity

Internal review or audit findings should be incorporated after each assessment into a board and senior management report and reviewed promptly.  Appropriate follow up should be assured.

Regulators increasingly expect the BSA audit or testing program to also include these elements:

  • Confirmation of the integrity and accuracy of management information reports used in the AML compliance program
  • Overall integrity and effectiveness of the program
  • Evaluation of management’s efforts to resolve violations deficiencies
  • Evaluation of the effectiveness of the suspicious activity monitoring systems
  • Review of the BSA risk assess­ment for reasonableness given the bank’s risk profile

BSA Compliance Officer

A bank or thrift must designate a qualified bank employee as its BSA compliance officer, who has day-to-day responsibility for managing all aspects of the BSA compliance program and compliance with all BSA regulations.  The BSA compliance officer may delegate certain BSA compliance duties to other employees, but not compliance responsibility.

The bank’s board of directors and senior management must assure that the BSA compliance officer has sufficient authority and resources – time, funding, staffing – to administer effectively a comprehensive BSA compliance program.  And, the BSA officer must have a direct reporting channel to the board of directors.

Board of Directors

The board must ensure that it exercises supervision and direction of the BSA/AML program.  This involves making sure that the institution develops sound BSA/AML policies, procedures, and processes that are approved by the board and implemented by management.  The board also has to ensure that the bank maintains a designated BSA officer with qualifications commensurate with the bank’s situation.  As noted above, the BSA officer must report directly to the board and be vested with sufficient authority, time, and resources.  The board must provide for an adequate independent testing of BSA/AML compliance.  The board should bear in mind that it has the ultimate responsibility for the institution’s BSA compliance.

Training

Financial institutions must ensure that appropriate bank personnel are trained in all aspects of the regulatory requirements of the BSA and the bank’s internal BSA compliance and anti-money laundering (AML) policies and procedures.

An effective training program includes provisions to assure that all bank personnel, including senior management, who have contact with customers (whether in person or by phone), who see customer transaction activity, or who handle cash in any way, receive appropriate training.  Board members also need to receive regular BSA/AML training, though at a much higher level with less detail than institution line employees.

The training needs to be ongoing and incorporate current developments and changes to the BSA, AML laws, and agency regulations.  New and different money laundering schemes involving customers and financial institutions should be addressed.  It also should include examples of money laundering schemes and cases, tailored to the audience, and the ways in which such activities can be detected or resolved.

Another focus of the training should be on the consequences of an employee’s failure to comply with established policy and procedures (e.g., fines or termination).  These programs also should provide personnel with guidance and direction in terms of bank policies and available resources.

Beneficial Ownership Procedures

The beneficial ownership rule contains three core requirements:

  • Identifying and verifying the identity of the beneficial owners of companies opening accounts
  • Understanding the nature and purpose of customer relationships to develop customer risk profiles, and
  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

A beneficial owner is an individual who owns more than 25 percent of the equity interest in a company or is the single individual who exercises control.  Also subject to these requirements is the one person who has control of each legal entity customer.

Beyond the Basics

BSA enforcement actions continue to raise the bar for all financial institutions.  BSA compliance programs must meet additional standards in order to be considered adequate to meet the ever-evolving challenges that arise over time.

  • Customer due diligence (CDD). Verifying a customer’s name, address, date of birth and identification number will satisfy the basic BSA customer identification requirements.  However, these four pieces of information will not be enough to help an institution deter­mine a customer’s typical account activity.  The recent C&D orders make clear that regulators expect community bank managers to use information collected as part of the institution’s CDD process to predict the type, dollar amount, and volume of transactions that a customer is likely to conduct.  This expectation goes beyond the new beneficial ownership rule to extend CDD expectations to the broader customer base.Several institutions subject to the recent round of enforcement actions were directed to develop specific procedures to describe how the institu­tion will conduct customer due diligence.  As computer and software technology has improved, regulators have come to expect small and large banks to gather and review information about the normal range of a customer’s banking activities.  They view the CDD processes and analysis as providing the framework that enables institutions to comply with suspicious activity reporting requirements.
  • Account & transaction monitoring. A number of institutions that received the most recent orders did not have adequate, or any, procedures for detecting and reporting suspi­cious activities. The enforcement actions make clear that community banks must specify in writing how the institu­tion will analyze and use customer information to detect suspicious activities.  As this area gets more complex, it becomes more difficult to try to maintain an adequate suspicious activity monitoring regimen without some form of automated monitoring.

Conclusion

The costs of being subject to an enforce­ment action go beyond extra regulatory scrutiny in subsequent examinations.  Institutions under the latest round of actions must report the enforcement action in communications with their shareholders and spend significant sums of money to hire outside consultants to train employees, audit the revised BSA programs and backfile required reports.  They also must submit planned actions to the regulators involved for prior approval, as well as report regularly (usually quarterly) on their progress in remediating the deficiencies that led to their particular enforcement action.

An interagency BSA enforcement policy statement clarifies that formal enforcement actions will not be issued for minor BSA infractions.  These enforcement actions are levied against financial institutions – including community banks – with significant breakdowns in their BSA compliance systems.  The consent and other orders illustrate that all banks are ex­pected to have very specific procedures for how they will collect customer information, predict customer account ac­tivity, utilize transaction monitoring reports, and train and manage employees with BSA-related responsibilities.

Be sure that you are not an object lesson for your banking fellows.  If we can help, contact us today.

The Future of Mortgage Loan Buybacks

Mitigating Repurchase Risk Before It’s Too Late

By Donald Stimpert, Manager of Secondary Market QC, Young & Associates

Understanding the Rising Risk of Loan Buybacks

The secondary mortgage market is evolving rapidly, and with it, lenders face increasing pressure to maintain strict quality control (QC) standards. Loan buybacks—once considered an occasional risk—have become a growing concern as investors, government-sponsored enterprises (GSEs), and regulatory bodies scrutinize loan origination and underwriting processes more closely.

Recent economic uncertainty, fluctuating interest rates, and regulatory changes have only amplified repurchase risks, making it imperative for financial institutions to adopt proactive strategies to mitigate potential buybacks before they impact profitability.

Why Are Mortgage Buybacks Increasing?

Several factors contribute to the rise in loan repurchase demands, including:

1. Heightened Investor Scrutiny

With a more volatile lending environment, investors and GSEs such as Fannie Mae and Freddie Mac are intensifying post-closing reviews to identify underwriting errors, miscalculations, and misrepresentations.

2. Rising Interest Rates and Loan Performance Issues

As interest rates climb, borrowers with recent mortgages may be at a higher risk of delinquency. A worsening performance trend in loans increases investor caution, leading them to revisit underwriting quality and enforce buybacks when defects are found.

3. Evolving Regulatory Standards

The Consumer Financial Protection Bureau (CFPB) and other regulators continue to refine lending requirements, particularly around fair lending, borrower income verification, and compliance with TRID (TILA-RESPA Integrated Disclosure) rules. Lenders who fail to maintain strict adherence to these standards may see increased buyback requests.

4. Defect Trends in Loan Underwriting

Recent QC reports indicate a surge in defects related to:

  • Income calculation errors
  • Debt-to-income (DTI) miscalculations
  • Missing documentation
  • Undisclosed liabilities
  • Misrepresentation of borrower information

Even minor discrepancies can trigger a repurchase demand, highlighting the need for enhanced QC measures.

Strategies to Minimize Repurchase Risk

To reduce exposure to loan buybacks, lenders must strengthen their QC frameworks and proactively address risk areas before loans reach the secondary market.

1. Strengthen Pre-Funding and Post-Closing QC Reviews

Implementing a robust pre-funding QC process helps catch potential defects before loans are sold, significantly reducing repurchase risk. Post-closing audits should be conducted consistently, ensuring that any issues are corrected before investor scrutiny.

2. Enhance Data Validation and Borrower Verification

Investors are increasingly focused on data integrity. Lenders must adopt advanced verification tools to cross-check borrower information, income, employment history, and undisclosed debts, minimizing the risk of fraud and errors.

3. Implement Targeted Sampling for QC Reviews

Rather than relying solely on random sampling, lenders should integrate risk-based QC sampling that focuses on high-risk loan categories, such as self-employed borrowers, non-traditional income sources, or jumbo loans.

4. Maintain Open Communication with Investors and GSEs

Establishing proactive dialogue with investors, servicers, and GSEs can help lenders identify evolving QC expectations and regulatory shifts, allowing them to adjust policies before issues escalate into buyback requests.

5. Conduct Regular Staff Training and Compliance Refreshers

Underwriting and QC staff should receive continuous training on updated investor guidelines, industry best practices, and regulatory changes. Well-informed teams are less likely to overlook critical details that lead to defects.

A More Proactive Approach to Mortgage QC

The risk of loan buybacks is unlikely to disappear, but financial institutions that take a proactive approach to mortgage quality control will be better positioned to minimize losses, maintain strong investor relationships, and protect their bottom line.

By integrating technology-driven audits, enhanced borrower validation, and risk-based QC sampling, lenders can significantly reduce repurchase exposure and navigate the evolving secondary market with confidence.

Is your institution prepared to mitigate repurchase risk? Young & Associates offers customized Mortgage QC solutions designed to enhance your quality control processes and protect your loan portfolio. Contact us today to learn how we can help safeguard your secondary market loan sales.

Internal Audit: Your Third Line of Defense in Third-Party Risk Management

By Jeanette McKeever, CCBIA, Director of Internal Audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements, and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization, and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor, and control risks while achieving strategic goals.

Understanding Third-Party Risk in Banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The Role of Internal Audit in Third-Party Risk Management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging Internal Audit to Improve Third-Party Risk Controls

Internal audit can contribute significantly to managing third-party risks through various areas:

  • Pinpointing Critical Contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
  • Assessing Risk Management Programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
  • Reviewing Compliance with Governance Standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
  • Evaluating and Improving Risk Controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
  • Facilitating Informed Decision-Making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
  • Assessing Performance and Identifying Opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating Internal Audit into Third-Party Risk Management Strategies

1. Independent Vendor Risk Assessment and Identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor Due Diligence and Selection Oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract Management and Compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

  1. Auditing the overall contract management process.
  2. Reviewing active contracts with critical vendors.

Auditing the Contract Management Process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing Active Contracts with Critical Vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing Monitoring and Reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance, and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence, enabling informed decision-making and ensuring that effective internal controls are in place.

5. Internal Audit Collaboration with Risk Management Functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information, leveraging each other’s abilities and tools. By working closely with risk, compliance, and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used and offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a Robust Third-Party Risk Management Framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable, requiring them to adjust the principles based on the size, scope, and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

  • Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
  • Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
  • Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
  • Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
  • Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-Based Internal Audit for Financial Institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes and offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks, and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question