Compliance Alliance Question of the Week

Question:
Can you clarify all of the documents that the Board of Directors is required to review prior to approving the BSA/AML Policy?  Does the BOD need to review the Policy, Risk Assessment and Procedures as a total program review?

​Answer:
Because procedures and policies are components of the BSA/AML compliance program, conservatively, the Board of Directors should be approving both of them. Additionally, even though it is not explicitly required, because of how broad the requirement is and in the spirit of keeping the board informed, we have members who also obtain board approval for the risk assessment component.

(b) Establishment of BSA compliance program—(1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to ensure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code, the Bank Secrecy Act, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR part 103. The compliance program shall be reduced to writing, approved by the board of directors, and noted in the minutes.
§ 208.63: https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=512f235ab20bd5823c2a3d1bfdb1c168&rgn=div8&view=text&node=12:2.0.1.1.9.6.3.4&idno=12

The BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes. A bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile. Refer to the core overview section, "BSA/AML Risk Assessment," page 18, for additional guidance on developing a BSA/AML risk assessment. Refer to Appendix I (“Risk Assessment Link to the BSA/AML Compliance Program") for a chart depicting the risk assessment’s link to the BSA/AML compliance program. Furthermore, the BSA/AML compliance program must be fully implemented and reasonably designed to meet the BSA requirements.32 Policy statements alone are not sufficient; practices must coincide with the bank’s written policies, procedures, and processes. The BSA/AML compliance program must provide for the following minimum requirements:
· A system of internal controls to ensure ongoing compliance.
· Independent testing of BSA/AML compliance.
· Designate an individual or individuals responsible for managing BSA compliance (BSA compliance officer).
· Training for appropriate personnel.
BSA/AML Manual: https://www.compliancealliance.com/find-a-tool/tool/regulatory-policy-and-training-requirements