Conducting periodic audits is essential for effectively managing anti-money laundering and Bank Secrecy Act (AML/BSA) compliance. Auditing AML/BSA compliance allows financial institutions, including foreign banks, to assess the efficacy of their compliance programs—and to make updates to their compliance programs when necessary.

By conducting AML/BSA audits, financial institutions can also demonstrate the efficacy of their compliance programs to the Federal Financial Institutions Examination Council (FFIEC) when necessary. FFIEC examinations can present substantial risks, so it is imperative for financial institutions to ensure that they are as prepared as possible. 

“Financial institutions need to prioritize effective AML/BSA compliance management. A key step toward effectively managing compliance is to gain a clear understanding of the efficacy of a financial institution’s compliance program. Not only are financial institutions federally required to conduct periodic AML/BSA audits, but periodic auditing also provides critical insight into whether a financial institution’s compliance policies, procedures, and protocols are functioning as intended.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

With this in mind, what do financial institution executives and directors need to know about conducting AML/BSA audits? Here are the answers to some important FAQs: 

Are Financial Institutions Required to Conduct AML/BSA Audits?

Federal regulations require financial institutions to conduct audits (or “independent testing”) as part of their efforts to ensure anti-money laundering and Bank Secrecy Act (AML/BSA) compliance. However, this is as far as the regulations go. As a result, as the FFIEC makes clear, a financial institution’s auditing program, “should be commensurate with the [money laundering/terrorist financing (ML/TF)] and other illicit financial activity risk profile of the bank and the bank’s overall risk management strategy.”

In other words, while AML/BSA auditing and risk assessment is mandatory, the federal regulations leave it up to financial institutions to determine what specific auditing measures are necessary. An informed and custom-tailored approach is critical, and financial institutions should work with their outside counsel to develop an auditing strategy that allows them to manage AML/BSA compliance with confidence.

How Often Are Financial Institutions Required to Conduct AML/BSA Audits?

Just as the federal regulations do not establish substantive requirements for AML/BSA audits, they also do not establish a mandatory frequency. With that said, the FFIEC advises that financial institutions, “may conduct independent testing over periodic intervals (for example, every 12-18 months) and/or when there are significant changes in the bank’s risk profile, systems, compliance staff, or processes.”

As a general rule, financial institutions will want to conduct regularly scheduled audits as a matter of course so that they can maintain a clear understanding of the health of their AML/BSA compliance programs on an ongoing basis—and, for most, this will involve adopting an annual schedule. However, financial institutions must also make informed decisions about when additional mid-cycle audits are necessary. 

Can (and Should) Financial Institutions Use Internal Personnel to Audit AML/BSA Compliance? 

The FFIEC advises that financial institutions which, “do not employ outside auditors or consultants or do not have internal audit departments may . . . us[e] qualified bank staff who are not involved in the function being tested.” However, while it is permissible to use internal personnel in appropriate cases, financial institution leaders must make an informed and strategic decision about whether this is truly the best approach. If a financial institution does not have internal personnel who devote time to remaining up-to-date on AML/BSA compliance (and who also are not directly involved in the institution’s AML/BSA compliance efforts), then engaging outside counsel will be necessary. 

How Can Financial Institutions Document the “Independence” of their AML/BSA Auditors?

Independence is critical when conducting an AML/BSA audit. In fact, rather than stating that financial institutions must conduct internal audits, the federal anti-money laundering regulations state that financial institutions must conduct “independent testing.” Further elaborating on what we just discussed, the FFIEC advises that the internal auditor involved in conducting an AML/BSA audit should, “not [be] involved with the function being tested or other BSA-related functions at the bank that may present a conflict of interest or lack of independence.”

When engaging outside counsel to conduct an AML/BSA audit, the act of engaging outside counsel itself will generally be enough to satisfy any potential concerns about independence (though the scope of outside counsel’s engagement should still be clearly defined). When using internal personnel, additional steps will be necessary to demonstrate that these personnel have subject matter expertise, are unbiased and do not have a personal interest in the outcome of the audit process. 

How Can Financial Institutions Document Their Compliance with the AML/BSA “Independent Testing” Requirement?

Documenting compliance with the AML/BSA “independent testing” requirement involves thoroughly documenting the entire audit process as well as its findings and any subsequent remedial action. Another benefit of engaging outside counsel is that it allows this documentation to be protected under the attorney-client privilege. In any case, comprehensiveness is key, as any gaps in a financial institution’s audit documentation will raise questions about why those gaps exist. If there isn’t a clear answer, FFIEC examiners will have little choice but to err on the side of assuming noncompliance. 

What Compliance-Related Concerns Should an AML/BSA Audit Examine?

AML/BSA audits must be both comprehensive and custom-tailored. In the words of the FFIEC, “Independent testing of specific BSA requirements should be risk-based and evaluate the quality of risk management related to ML/TF and other illicit financial activity risks for significant banking operations across the organization. . . . Risk-based independent testing programs vary depending on the bank’s size or complexity, organizational structure, scope of activities, risk profile, quality of control functions, geographic diversity, and use of technology.

In brief, AML/BSA audits should focus on a financial institution’s specific risks—and they should examine these risks from all relevant perspectives. The types of issues that will typically need to be addressed during the AML/BSA auditing process and transaction testing include: 

• Monitoring systems for potentially suspicious activity, including filtering criteria and alerts
• Processes for generating, reviewing, filing, and submitting Suspicious Activity Reports (SARs)
• Processes for generating, reviewing, and filing Currency Transaction Reports (CTRs)
• “Know your customer” compliance, including customer identification program (CIP), customer due diligence (CDD) policies and procedures
• Adherence to other anti-money laundering recordkeeping requirements 

Again, these are just broad examples. When preparing to conduct an AML/BSA audit, determining not only the scope of the audit, but also how the audit will be conducted, is essential. Following a systematic approach that is focused on a financial institution’s specific compliance obligations and risks is the only practical way to effectively assess compliance consistently on an ongoing basis. 

What Should Financial Institutions Do if They Discover Compliance Failures During an AML/BSA Audit?

This is not an uncommon scenario. When financial institutions uncover compliance failures during an AML/BSA audit, the key is to address these failures as efficiently as possible. The specific remedial measures that are necessary will depend on the specific circumstances involved—and this, too, requires informed decision-making. Crucially, during the financial institution’s next AML/BSA audit, assessing the efficacy of these remedial measures should be a top priority. 

What Types of Issues Are Likely to Trigger Scrutiny from the FFIEC?

Issues in any of the areas listed above have the potential to trigger scrutiny from the FFIEC. However, this list is far from exclusive. The FFIEC’s examiners exhaustively assess not only the efficacy of financial institutions’ compliance programs, but also the efficacy (and independence) of their auditing processes and procedures. 

How Can Financial Institutions Mitigate Their Risk of Facing FFIEC Scrutiny?

In light of everything we have discussed thus far, financial institutions can mitigate their risk of facing FFIEC scrutiny by taking a comprehensive and proactive approach to both managing and monitoring AML/BSA compliance. If financial institutions have documentation on-hand that clearly demonstrates good-faith efforts to comply with all pertinent laws and regulations, they are both far less likely to face intensive FFIEC scrutiny and far less likely to face serious consequences in the event of an FFIEC examination. 

What Should You Do if the FFIEC Opens an Examination of Your Financial Institution’s AML/BSA Compliance Efforts? 

Of course, even if a financial institution is fully federally compliant, this won’t necessarily stop the FFIEC from scrutinizing its AML/BSA compliance program. If the FFIEC opens an examination of your financial institution’s AML/BSA compliance efforts, you will want to engage your institution’s outside counsel promptly.

What Are the Risks of Failing to Effectively Manage AML/BSA Compliance for Financial Institutions?

If FFIEC examiners identify flaws or oversights in a financial institution’s AML/BSA compliance program or its auditing procedures, the consequences can be significant. The Bank Secrecy Act imposes substantial penalties for violations. These include not only regulatory and civil penalties, but even criminal penalties in some cases. 

Do Financial Institutions Need to Engage Outside Counsel to Conduct Their AML/BSA Audits?

With all of this in mind, do financial institutions need to engage outside counsel to conduct their AML/BSA audits? While the federal anti-money laundering regulations do not strictly require financial institutions to engage outside counsel to conduct their independent testing, doing so is strongly recommended for all of the various reasons discussed above. Working with experienced outside counsel allows financial institutions to both confidently manage AML/BSA compliance on an ongoing basis and confidently interface with the FFIEC when necessary.