Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: March 31, 2004

MEMORANDUM TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: Supervisory Actions Taken for Bank Secrecy Act Violations (Audit Report Number 04-017)

This report presents the results of the Office of Inspector General’s (OIG) audit of the Federal Deposit Insurance Corporation's (FDIC) process for ensuring corrective actions are taken by bank management to address violations (Note: According to the Division of Supervision and Consumer Protection’s Manual of Examination Policies, examiners report and document in the reports of examination those situations that appear to be contraventions of law or regulation. Because examiners are not final adjudicators, examiners qualify findings by referring to them as "apparent violations." Our final report use the term “violations” when referring to situations identified, reported, and/or cited in the reports of examinations and the FDIC’s automated tracking and reporting system. The OIG has not made a judgment on the legalities related to the “apparent” violations discussed in this report) of the Bank Secrecy Act (BSA) of 1970. We initiated this audit in response to interest expressed by staff of the Subcommittee on Oversight and Investigations, House Committee on Financial Services. The objective of this audit was to determine whether the FDIC Division of Supervision and Consumer Protection (DSC) adequately follows up on BSA violations reported in examinations of FDIC-supervised financial institutions (Note: The FDIC is the primary federal regulator of state-chartered institutions that are not members of the Federal Reserve System. Such institutions also include state-licensed insured branches of foreign banks and state-chartered mutual savings banks. According to the FDIC’s Letter to Stakeholders, 3rd Quarter 2003, the number of FDIC-supervised institutions totaled 5,343 as of September 30, 2003) to ensure that they take appropriate corrective action. To accomplish our objective, we reviewed the steps taken by the DSC to ensure institutions have implemented effective corrective action to address these violations.(Note: For purposes of this report, a distinction is made between corrective action taken by bank management to address BSA violations and supervisory action taken by the FDIC to ensure compliance. FDIC’s supervisory actions may include efforts to follow up with bank management after examinations, including correspondence, and follow-up visitations or examinations, and the use of regulatory action. Regulatory action is defined to include informal actions (such as bank board resolutions or memorandums of understanding) and formal enforcement actions (such as cease and desist orders) to prompt management action.) Appendix I of this report discusses our objective, scope, and methodology in detail. An acronyms list and a glossary of terms used in this report are provided in Appendix VII and Appendix VIII, respectively.

BACKGROUND

The Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311 et seq., requires financial institutions to maintain appropriate records and to file certain reports that are used in criminal, tax, or regulatory investigations or proceedings. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity. The BSA’s implementing regulation, 31 Code of Federal Regulations (C.F.R.) Part 103, is used to aid law enforcement agencies in the investigation of suspected criminal activity such as illegal drug activities, income tax evasion, and money laundering ((Note: Money laundering is the process by which criminals or criminal organizations seek to disguise the illicit nature of their proceeds by introducing them into the stream of legitimate commerce and finance.) by organized crime.

The BSA consists of two parts -- Title I, Financial Recordkeeping, and Title II, Reports of Currency in Foreign Transactions.

• Title I authorizes the Secretary of the Treasury (Treasury Department) (Note: For reporting purposes, we will refer to the Secretary of the Treasury as the "Treasury Department.")



• Title II directs the Treasury Department to prescribe regulations governing the reporting of certain transactions by and through financial institutions in excess of $10,000 into, out of, and within the United States. A financial institution must file a Currency Transaction Report (CTR) (Note: According to DSC’s Manual of Examination Policies, Financial Recordkeeping and Reporting Regulations, dated February 1999, law enforcement agencies have found CTRs to be useful in tracking cash generated by illicit drug traffickers. Accordingly, comprehensive examination procedures have assisted in detecting possible money laundering resulting from drug trafficking in federally insured financial institutions.) with the Treasury Department for each cash transaction over $10,000 or multiple cash transactions by an individual in 1 business day or over a period of days aggregating over $10,000. The BSA also requires financial institutions to file Suspicious Activity Reports (SARs) with the Treasury Department when suspected money laundering activity or BSA violations occur.

Emphasis on anti-money laundering efforts has risen significantly in recent years, especially since the events of September 11, 2001. For example, in response to those events, the Congress enacted the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Public Law 107-56 (USA PATRIOT Act, hereafter referred to as the PATRIOT Act), which expands the Treasury Department’s authority initially established under the BSA to regulate the activities of U.S. financial institutions, particularly their relations with individuals and entities with foreign ties.(Note: Hereinafter, all references to the BSA will include the PATRIOT Act amendments.) The provisions of the PATRIOT Act were designed to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism.

BSA Requirements for FDIC-Supervised Institutions

Section 326.8(b) of the FDIC’s Rules and Regulations, codified to 12 C.F.R. Part 326, requires each FDIC-supervised institution to develop and administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103. The institutions’ boards of directors must approve the compliance program in writing, and in accordance with Section 326.8(c), the program should include four minimum requirements:

• a system of internal controls to assure ongoing compliance,
• independent testing for compliance with the BSA and 31 C.F.R. Part 103 to be conducted by bank personnel or an outside party,
• designation of individual(s) responsible for coordinating and monitoring compliance with the BSA, and
• training in BSA requirements for appropriate personnel.

Appendix II details the minimum requirements for FDIC-supervised financial institutions.

Examination Authority

The Treasury Department has overall authority for BSA enforcement and compliance; however, its regulations delegate authority to financial institution regulatory agencies, including the FDIC, to examine financial institutions for compliance. In this capacity, the FDIC has authority to (1) examine the institutions it supervises for compliance with the BSA, (2) refer BSA violations to the Treasury Department, and (3) impose regulatory actions for BSA violations. The FDIC is also required by the Federal Deposit Insurance Act (FDI Act) to:

• prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA,
• review such procedures during their examinations of these institutions, and
• enforce compliance with the BSA monetary transaction recordkeeping and report requirements.

The FDIC also issues regulations, Financial Institution Letters (FILs),(Note: The FDIC uses FILs to correspond with the financial institutions that it supervises. FILs may be issued for a variety of reasons, including notification of BSA requirements and other issues of principal interest to those responsible for operating a bank or savings association.) and other guidance to the financial institutions that it supervises; updates Corporation examination and training materials; and ensures that DSC examiners are adequately trained to monitor BSA compliance. DSC requires examiners to use risk-focused examination procedures to assess BSA compliance. (Note: On August 15, 2003, the DSC issued interim guidance in Transmittal 03-042, Bank Secrecy Act Examination Procedures, updating the BSA risk-focused approach. The objective of this approach is to effectively evaluate the safety and soundness of the bank, including the assessment of risk management systems, financial condition, and compliance with applicable laws and regulations, while focusing resources on the bank’s highest risks.) To accomplish this, examiners may use (1) core procedures that are considered during the basic review, (2) expanded procedures that are used to target concerns identified during the basic review, and (3) impact analyses to assess the seriousness of identified deficiencies. To assess the impact of deficiencies identified during the basic and expanded reviews, examiners determine whether BSA violations and weaknesses:

• are serious and indicate the need for civil money penalties,
• necessitate referrals to law enforcement agencies,
• necessitate a cease and desist order for cases in which a mandatory BSA compliance program was not established or maintained, and
• affect the safety and soundness of the institution.

Appendix III provides DSC’s control and performance standards and the associated risks that examiners may consider in assessing an institution’s BSA compliance program.

Referrals to the Treasury Department

According to referral guidelines issued by the Treasury Department’s Office of Financial Enforcement in October 1990, the Treasury Department has a zero tolerance level for violations of the BSA but recognizes that BSA violations are of a varying nature. The guidelines were designed to assist the financial institution regulatory agencies in determining which BSA violations by banks warrant referral to the Treasury Department “for review and possible assessment of civil and/or criminal penalties” because referrals had been made “that were not significant enough to warrant penalties.” The guidelines do not define what constitutes a significant violation. Rather, the guidelines state, “Because the determination process often is subjective, sound examiner judgment and experience also are required.” To assist with the determination process, the guidelines instruct examiners to “assess all of the facts and circumstances surrounding the violations,” including whether:

• the violations represent an isolated incident caused by human error;
• the deficiencies are indicative of significant noncompliance with the BSA and/or systemic weaknesses in the institution’s BSA compliance program;
• the types and nature of the violations are serious;
• the violations are the result of blatant, willful, or flagrant disregard for BSA requirements;
• there is a pattern of noncompliance with one or more sections of the regulations;
• the violations result from inadequate policies, procedures, or training programs; and
• the violations result from a nonexistent or seriously deficient compliance program.

DSC procedures require examiners to use the Treasury Department’s guidelines to determine when a referral is appropriate.

Regulatory Actions for Noncompliance

Failure by a financial institution to comply with the BSA can result in regulatory sanctions by either the Treasury Department or the FDIC. The BSA and its underlying regulations give the Treasury Department the authority to assess civil money penalties for violations and to authorize criminal prosecution. The FDIC is required to report all identified BSA violations to the Treasury Department and to refer violations that warrant penalties. Such referrals, however, do not preclude the FDIC from taking regulatory action when BSA violations are identified. As cited in 12 U.S.C. 1818(s), the FDIC shall issue a cease and desist order to any FDIC-supervised institution that fails to establish and maintain appropriate BSA procedures or to correct any previously reported problem with the procedures. DSC Transmittal 92-094, Bank Secrecy Act Compliance Examinations, dated July 30, 1992, provides guidance for implementing this authority. Appendix IV summarizes the Treasury Department and FDIC authority for enforcing compliance with BSA requirements.

RESULTS OF AUDIT

The FDIC needs to strengthen its follow-up process for BSA violations and has initiatives underway to reassess and update its BSA policies and procedures. Of the 5,662 financial institutions that the FDIC supervised on average for the period January 1, 1997 through September 30, 2003, FDIC’s tracking system (Note: The DSC uses FDIC’s Virtual Supervisory Information on the Net system (ViSION) to track apparent BSA violations cited in FDIC reports of examination. The DSC also uses ViSION to report BSA violations to the Treasury Department.) for BSA violations identified:

• 2,672 financial institutions, or approximately 47 percent, as being cited for one or more BSA violations; and
• 458 financial institutions, or approximately 17 percent of the 2,672 institutions, as having repeat BSA violations. (Note: Although ViSION identified 458 institutions as having repeat violations, DSC reported that violations involving different sections of the regulation may be grouped under the same violation code in ViSION, thus incorrectly identifying some violations as repeats. However, because ViSION is DSC’s system for tracking apparent violations of BSA, ViSION was used to select the sampled institutions for our audit and to obtain a general estimate of the percentage of FDIC-supervised institutions with repeat violations. Of the 19 institutions in our sample that were selected because they were identified in ViSION as having repeat violations, we confirmed that 18 had repeat violations.)

Of the sample of 41 institutions we selected to review, 27 had repeat violations.(Note: Our sample of 41 institutions included 22 institutions selected randomly by regional/area office and 19 institutions judgmentally selected because they were identified in ViSION as having repeat violations. As noted in footnote 11, we confirmed that 18 of those 19 institutions had repeat violations. In addition, 9 of the 22 institutions that were selected randomly also had repeat violations, resulting in 27 institutions with repeat violations. In addition, after issuance of the draft report to DSC for written comment, the OIG identified one more institution that had a repeat violation. However, because the DSC did not have an opportunity to review the circumstances related to that repeat violation and provide a response, the OIG did not adjust the number of repeat institutions included in this report.) Of those 27, 17 institutions (63 percent) were not subject to regulatory action for their repeat violations, although other supervisory efforts may have been in progress. Of the 10 institutions that were subject to regulatory action, only 1 was subject to a cease and desist order. DSC policy states that repeat violations cannot be tolerated and that cease and desist orders should be initiated in such cases. In addition, Section 8(s) of the FDI Act states that, “If the appropriate Federal banking agency determines that an insured depository institution … has failed to correct any problem with the [BSA] procedures … which was previously reported … by such agency, the agency shall issue an order … requiring such depository institution to cease and desist from its violation….” However, according to the FDIC’s Legal Division, enforcement authority always involves some element of discretion, including consideration of the nature of the violation and supervisory judgment as to how best to address the violation. Appendix V provides a recap of the institutions we reviewed, the types of BSA violations identified, whether the institutions were cited for repeat violations, and the types of regulatory actions taken.

For the 41 banks in our sample, we reviewed 82 reports (Note: The 82 reports include 81 examination reports and 1 follow-up visitation report that cited at least one BSA violation for the 41 sampled institutions and that were included in ViSION. The official draft report states that we reviewed 80 examination reports, but after issuance of the draft report to DSC for written comment, the OIG identified 2 additional examination reports that cited BSA violations and had been included in our analyses.) that cited apparent and often multiple BSA violations. For 25 (30 percent) of those 82 reports, the DSC waited until the next examination to follow up on some or all of the BSA violations. In addition, we noted that not all BSA deficiencies described in DSC’s examination reports were cited in the violations section of the reports. (Note: Based on discussions with DSC officials, cited violations are those violations included in the Violations of Laws and Regulations schedule of the examination reports and should be recorded in ViSION.) Also, DSC’s regional offices took various approaches to handling violations related to the filing of CTRs and to referring bank violations to the Treasury Department.

We also observed that DSC regional and field offices exercised wide discretion in deciding whether and when to follow up on the violations or take regulatory action. In some cases, more than 1 to 5 years passed before (1) bank management took corrective action that was effective to prevent repeat violations or (2) the DSC applied regulatory actions to address continuing violations. Additionally, the FDIC typically alternates examinations with state banking authorities, but the state examinations usually did not cover BSA compliance. As a result, 2 to 3 years can sometimes elapse until the next FDIC examination without any follow-up on BSA violations.

As a result of these conditions, the FDIC has not always ensured that all identified BSA violations have been included and tracked in ViSION and, therefore, has not ensured complete reporting to the Treasury Department. Further, the FDIC’s supervisory actions have not ensured to the greatest extent possible that institutions are in compliance with both the Treasury’s and the FDIC’s anti-money laundering requirements.

In responding to our observations, DSC officials explained that they focus their efforts on BSA compliance based on their assessment of the risk of money laundering activity for their supervised institutions. DSC provided us with information on a number of cases not included in our sample for which they believed supervisory efforts were successful in addressing BSA concerns. Additionally, we noted that DSC is taking steps to update its BSA guidance and is conducting a reassessment of its BSA-related policies and procedures. Furthermore, the FDIC is conducting a review of regulatory burden and is researching ways to reduce the burden of BSA filing requirements for financial institutions without hampering efforts to combat money laundering and terrorist financing.

FOLLOW-UP FOR BSA VIOLATIONS SHOULD BE STRENGTHENED

For most of the 82 reports with BSA violations in our sample, the DSC initiated timely follow-up and other supervisory actions or obtained timely evidence of bank corrective actions. However, in some cases, BSA violations were repeatedly identified in multiple examination reports before bank management took corrective action or the FDIC took regulatory action to address the repeat violations. Further, for 25 (30 percent) of the examination reports, the DSC waited until the next examination to determine whether a bank had corrected some or all of its violations. According to one DSC official, each regional office exercises discretion in assessing bank compliance with BSA requirements. The decision on whether and at what time to follow up on BSA violations is a decentralized process and, in many cases, is based on the FDIC’s view from experience that the institution represents a relatively “low risk” in terms of potential money laundering activities. This decentralized process has resulted in a wide range of follow-up actions for BSA violations and of elapsed time before supervisory actions are taken. As a result, the BSA compliance programs of some institutions have remained weak for extended periods.

We sampled 41 of the 2,672 financial institutions with BSA violations for detailed review. Of those 41 institutions:

• 35 institutions (86 percent) were cited for violations related to the Treasury Department’s financial recordkeeping and reporting requirements as prescribed in 31 C.F.R. Part 103, and



• 29 institutions (71 percent) were cited for deficient BSA programs that did not meet the minimum requirements of the FDIC Rules and Regulations.

Regarding the Treasury Department’s Regulations at 31 C.F.R. Part 103, these financial institutions were most frequently cited for:

• failure to file CTRs for nonexempted transactions over $10,000 (22 institutions);
• failure to maintain records on sales of monetary instruments of $3,000 through $10,000 (16 institutions);
• failure to furnish information required in CTRs (14 institutions);
• untimely filing of CTRs or failure to retain CTRs for 5 years (13 institutions); and
• failure to treat multiple transactions totaling over $10,000 as a single transaction (10 institutions).

Regarding the FDIC’s Rules and Regulations Section 326.8, the 41 financial institutions in our sample were most frequently cited for:

• lack of independent testing of BSA compliance (16 institutions),
• failure to develop or implement an adequate BSA compliance program (15 institutions),
• inadequate system of internal controls for BSA compliance (10 institutions), and
• failure to provide adequate BSA training (7 institutions).

Appendix VI summarizes the types of BSA violations and the numbers of institutions that had violations for the 41 sampled financial institutions for the period January 1, 1997 through September 30, 2003. These BSA violations included those recorded in ViSION and those not recorded in ViSION that had been cited in examination reports.

Responsibilities Prescribed by BSA Laws, Regulations, and Policies

Based on our review of applicable BSA laws, regulations, and policies, the DSC is responsible to take the following steps in identifying and addressing BSA violations:

• Examine FDIC-supervised institutions for compliance (12 U.S.C. 1818(s), Compliance with Monetary Transaction Recordkeeping and Report Requirements; 31 C.F.R. 103.56(b), Enforcement; Section 10(b), Examinations, of the FDI Act; and 12 C.F.R. 337.12, Frequency of Examinations, of the FDIC Regulations and Statements of General Policy).



• Identify and report BSA violations in reports of examination and report the violations to Treasury (DSC Transmittal 92-094, dated July 30, 1992; and Manual of Examination Policies, Financial Recordkeeping and Reporting Regulations, Section 9.4).



• Give institutions an opportunity to correct violations within a reasonable period after being notified of violations (DSC Transmittal 92-094, dated July 30, 1992).



• Verify corrective measures with a follow-up visitation/examination if needed (DSC Transmittal 92-094).



• Initiate a cease and desist order if an institution has failed to establish or maintain BSA procedures or failed to correct any previously reported problem with the procedures (12 U.S.C. 1818(s) and DSC Transmittal 92-094).



• Impose civil money penalties for violations of cease and desist orders (12 U.S.C. 1818(i)(2)(ii)).



• Refer significant violations to the Treasury Department (Bank Secrecy Act Referral Guidelines for Financial Institutions, as incorporated into DSC Transmittal 91-020, dated January 31, 1991).

The FDIC Process for Follow-up and Other Supervisory Actions

The FDIC does not have a standard, nondiscretionary approach for determining when and how to follow up on BSA violations. The process used to identify, track, and report BSA violations is decentralized and is based on the judgment of DSC examiners, field office supervisors, case managers, and regional office management. (Note: One FDIC area office uses a BSA Watchlist to assist in monitoring compliance with BSA-related laws and regulations. DSC officials stated that for those institutions that are included on the watchlist, a follow-up visitation should be performed 6 months to 1 year after the examination that prompted inclusion, and an on-site follow-up should occur at least every 12 months thereafter until removal from the watchlist. Removal from the watchlist is considered if the on-site follow-up confirms adequate correction of prior BSA deficiencies.) DSC officials stated that they apply a risk-focused approach to BSA compliance, taking into consideration the specific demographics of each financial institution when deciding whether to pursue supervisory actions and the type of action necessary. According to DSC, those demographics may include the “overall profile” of an institution, including its location, asset size, history of bank management in taking corrective actions, history of violations, size of bank staff, assessment of risk related to anti-money laundering and the BSA, and composite rating. Nevertheless, our review of DSC’s examinations for the sampled banks raised concerns about instances where the FDIC:

• did not take regulatory or enforcement actions for repeat violations, or
• waited until the next examination to follow up on violations and verify whether corrective actions taken by bank management were effective.

Handling of Repeat Violations

With respect to regulatory actions, the DSC imposed such actions on 10 (37 percent) of the 27 institutions we sampled that had repeat violations and on 1 institution that did not have repeat violations. Of those 11 institutions for which regulatory actions were imposed:

• a cease and desist order was imposed for one institution,
• memorandums of understanding were imposed for six institutions,
• bank board resolutions were imposed for four institutions, and
• a state determination letter was imposed for one institution. (Note: The numbers total 12 because for 1 institution, both a memorandum of understanding and a bank board resolution had been imposed.)

Ten of these institutions had violations that related to both Treasury Department’s Part 103 and the FDIC’s Section 326.8, and one institution had violations related to Treasury Department’s Part 103.

As shown in Table 1 on the next page, the regulatory actions were taken for institutions with varying composite ratings and a wide range of asset sizes.

Although regulatory actions were taken for 10 of the 27 institutions in our sample that had repeat violations, regulatory actions were not imposed for the other 17 institutions that had repeat violations. DSC’s memorandum on Bank Secrecy Act Compliance Examinations (Transmittal Number 92-094) states that repeat violations cannot be tolerated. Furthermore, FDI Act section 8(s), codified at 12 U.S.C. 1818(s), states, “the agency shall issue an order … to cease and desist” when the institution “has failed to correct any problem with the [BSA] procedures … previously reported to the depository institution….” Nevertheless, a cease and desist order was issued to only 1 institution in our sample that had repeat violations; 17 institutions (63 percent of the institutions in our sample) with repeat violations were not subject to regulatory action by the FDIC.

According to the FDIC’s Legal Division, enforcement authority always involves some element of discretion. Such discretion may include consideration of the nature of the violation, supervisory judgment as to how best to address the violation, whether to apply formal or informal action, and consideration of workload priorities and resource constraints. Also, the Legal Division indicated that Section 8(s) establishes two key factors for consideration: (1) has the institution established a BSA program? and (2) are there any problems with the program? Minor violations that are not covered by one of these factors would not merit a cease and desist order under Section 8(s). However, of the 17 institutions with repeat violations that were not subject to regulatory action, only 2 institutions did not have program violations.

The DSC’s Formal and Informal Action Procedures Manual does not specifically address BSA violations, yet it does state that the belief that bank management has recognized deficiencies and will take corrective action(s) is not sufficient, in and of itself, to preclude taking regulatory action. In determining the appropriate regulatory action, DSC officials explained that, in the context of a risk-focused examination, they consider several areas: bank management’s willingness to address supervisory concerns and management’s history of responding to those concerns, demonstration of a good faith effort at correcting noted deficiencies, the condition of the institution, the overall risk posed by the identified weaknesses, and other factors.

Follow-up on Violations

DSC’s process for following up on violations cited in reports of examination includes:

• a request for the report to be considered in the bank’s next board meeting, with a record of actions taken entered into the minutes;
• a request for bank management to provide a response indicating the actions taken to eliminate each cited violation or deficiency; and
• follow-up of the corrective actions at the next examination.

Because of the significance of BSA violations, we checked whether follow-up occurred before the next examination. Specifically, for the institutions included in our sample, we checked how often and by what method DSC followed up on whether corrective actions had been taken. We considered evidence related to DSC’s follow-up actions or the banks’ corrective actions and information from the Treasury Department. As a result of our analysis of the process and our review of the 82 reports that cited apparent BSA violations, we found that:

• For 20 reports, DSC followed up or pursued regulatory action for certain violations before the next examination, including additional correspondence, visitations, and regulatory actions such as bank board resolutions, memorandums of understanding, or cease and desist orders.



• For 42 reports, DSC received evidence from bank management, Treasury’s Financial Crimes Enforcement Network (FinCEN), or the Internal Revenue Service (IRS) that certain violations had been corrected before the next examination, and in many of these instances, corrective action took place before the examination was completed.



• For 25 reports, DSC waited until the next examination to assess the adequacy of bank corrective actions for certain violations.(Note: Note that the numbers do not total 82 because DSC used different follow-up actions for some examination reports that cited multiple violations.)

In one case, a subsequent state examination followed up on violations cited by the DSC and pursued the matter until the bank took corrective action. Most state examinations, however, did not cover BSA compliance.

Table 2 provides examples of the variety of follow-up and regulatory actions taken by the FDIC to address BSA violations. These examples are specifically related to violations cited for FDIC’s Rules and Regulations Section 326.8. Appendix II provides a detailed description of the requirements in FDIC’s Rules and Regulations Section 326.8.

Table 2: Supervisory Actions Taken for Similar BSA Violations

INSTITUTION IDENTIFICATION NUMBER	VIOLATION	SUPERVISORY ACTIONS
4	326.8(b)	The violation was cited during an , 1997 examination. It is a repeat violation initially cited during the institution's , 1996, examination. A bank board resolution (BBR) was adopted , 1998, more than 2 years after initial citation.
12	326.8(b)	Violation was initially cited during the , 1998 examination for a combination of deficiencies in the bank's BSA Compliance program, including lack of independent testing. Bank officials informed the FDIC that the 1998 violation had been corrected prior to the state 1999 examination by having a Certified Public Accounting firm conduct independent testing in 1998. The 1999 state examination did not identify any BSA violations. The bank was cited for a repeat violation during the FDIC examination on , 2000 because independent testing had not been conducted since 1998 and the bank had not kept the BSA program current and approved annually. The , 2002 state examination cited the bank for lack of independent testing because no testing had been conducted since 1998. The , 2003 examination did not report this violation. No supervisory action was taken by the FDIC. FDIC officials stated ". . . that it should be noted that Part 326 does not specify the frequency of the required independent testing. The Guidelines for Monitoring Bank Secrecy Act Compliance (issued by FIL 29-96) indicate that annual testing should be conducted, but guidelines cannot be "violated" – there can be violations only of regulations."
15	326.8(b)	As a result of violations related to safety and soundness, the FDIC and bank management signed a memorandum of understanding (MOU) on , 1999, which placed numerous requirements on the institution for compliance. Although the MOU did not specifically address BSA violations, it did refer to the requirement to correct violations of all laws. After the , 2000 examination during which BSA violations were reported, the FDIC continued the MOU. The institution's progress report for 2000 indicated that all violations had been corrected. The MOU was terminated , 2001.
1	326.8(c)(2)	The violation was reported during the , 2000 FDIC examination. Based on that examination, bank management agreed to have testing performed in 2000. However, the violation was identified as a repeat violation during the , 2002 state examination. Bank management provided evidence that the independent testing was completed on , 2002—almost 2 years after initial citation.
19	326.8(c)(2)	Violation was initially cited during the , 1999 examination and was repeated during the , 2001 and , 2003 examinations. As a result of the , 2001 examination, the state regulatory agency placed the bank under a Determination Letter, which was related to various safety and soundness concerns and required the bank to correct all violations of law, including the apparent BSA infractions. The institution was required to provide quarterly progress reports. The , 2003 quarterly report indicated that the BSA violation had been addressed and reviewed. The next examination conducted in 2003 indicated that all BSA violations had been corrected, and no additional violations were cited.
29	326.8 BSA Compliance Program and 326.8(c)(2)	Violations of 326.8(b) BSA Compliance Program and 326.8(c)(2) lack of independent testing were cited during the 1998 examination, and a violation of 326.8(b) was cited during the 2000 examination. FDIC's comments for this institution indicated that officials did not consider the violations to be systemic; bank management promised appropriate action; and given the positive relationship with the regulatory agencies in the past, there was no reason to think that corrective action would not be taken; and enforcement action did not appear warranted. Further, FDIC officials stated that bank management was able to demonstrate a good faith effort at correcting the noted deficiencies and that although it took two examination cycles to clear the violations, improvement was noted at each examination.
33	326.8(c)(2)	Violation was cited during the , 2001 examination. The institution provided evidence that corrective action was taken 14 months after the examination.
37	326.8(c)(2)	Violation was first cited during the , 1997 examination and was included as repeat violation during the , 1999 and , 2002 examinations. The FDIC issued a cease and desist order effective , 2002, pursuant to Section 8(s)—over 5 years after initial citation—solely for violations related to lack of independent testing and employee training for BSA. The FDIC conducted a visitation on , 2002 and determined the bank to be in substantial compliance with most provisions of the order. The order was terminated , 2002.

As evidenced by Table 2, supervisory approaches and the time taken for follow-up on BSA violations varied.

Inconsistencies in Describing Deficiencies and Citing Violations

In reviewing DSC’s reports of examination, we observed several instances of BSA deficiencies described in the reports but not cited in the Violations of Laws and Regulations section of the reports. On the other hand, we also noted instances of similar BSA deficiencies that were cited as violations. Deficiencies that are described in the reports of examination not cited as violations may receive less attention from bank management or in follow-up by the DSC. According to DSC officials, the examiners exercise judgment in determining the significance of BSA concerns. That judgment includes determining whether the weaknesses constitute:

• apparent violation of laws or regulations, meriting inclusion in the violations section of the examination report, or
• noncompliance with DSC guidelines, meriting only mention in the report as matters for bank management’s attention, which may be sufficient to eliminate concern.

For example, DSC officials stated that citing an institution for a lack of independent testing would be appropriate if no testing was being conducted; however, the institution would not be cited in cases in which independent testing was being conducted but the frequency or areas of coverage could be enhanced. However, we noted several instances of inconsistency in the handling of BSA deficiencies.

Deficiencies Described and Cited as Violations

During an examination conducted in 2003, a bank was cited for

• failure to develop a BSA compliance program and provide for the continued administration of such program because the bank had weak internal controls and did not provide annual independent testing,
• lack of independent testing of BSA compliance because the bank’s BSA policy did not address annual independent testing, and
• failure to provide adequate BSA training because the bank’s BSA policy did not address annual training to be provided to all employees.

In addition, the management assessment section of the examination report stated that an outside firm had performed a limited review of BSA and recommended that the scope of independent testing be expanded.

In another example, during a 2000 examination, examiners cited a bank for lack of independent testing. The examination report noted that the bank’s BSA policy provided for a system of independent testing for compliance with the BSA, but that independent testing had not been conducted. Additionally, the report stated that the independent review did not address exemptions, (Note: The term “exemption” refers to instances in which banks are not required to file CTRs for transactions by certain categories of “Exempt Persons.” Exemptions are further defined in Appendix VIII.) a test of the bank’s recordkeeping system and the recordkeeping requirements for wire transfers and the sale of monetary instruments.

During an 2000 examination, a bank was cited for overall noncompliance with the BSA compliance program requirements because of noted “weaknesses” in the bank’s training efforts and independent testing procedures. The report further stated that while independent testing was not conducted in 1998 or 1999, the testing that was conducted in 2000 was too narrow in scope and did not review wire transfer activity. The examiner cited the bank for failure to develop or implement an adequate BSA compliance program, indicating overall noncompliance with BSA regulations, and did not limit the violation specifically to a lack of independent testing.

Deficiencies Described and Not Cited as Violations

In contrast to deficiencies cited as violations, we noted instances in which significant deficiencies were described by examiners but were not cited as specific violations:

In a 1997 examination report, DSC did not cite a bank for lack of independent testing even though the report specifically stated that bank management did not adhere to the policy guideline that required comprehensive audits of the BSA function. In addition, the report stated that certain transactions (currency) were not properly reported and that numerous errors in transaction reports were the result of the inadequate review and audit procedures. These deficiencies resulted in several violations cited in the 1997 report, such as failure to file CTRs, failure to properly document CTRs, and inadequate verification of customers’ identification, but not lack of independent testing. Further, the 2000 examination report stated that (1) the lack of independent testing of the BSA program and weaknesses in internal reviews of CTRs resulted in apparent violations, (2) the apparent violations related to the failure to provide for independent testing of the BSA program and the filing of CTRs with incomplete and inaccurate information, and (3) the independent testing deficiency was noted at the 1997 examination and remains uncorrected. The examiners cited the institution for failure to develop or implement an adequate BSA compliance program. For the subsequent examinations conducted in 2001 by the state regulatory agency and in 2002 by the FDIC, no violations related to independent testing were noted. The state examination noted that independent testing was being performed.

In another examination report for an 1997 examination, examiners described the bank’s BSA compliance program as severely lacking and further stated that there were serious deficiencies in the program. The examination report indicated that the BSA compliance program did not address record retention; internal procedures for detection, prevention, and reporting of large currency transactions and suspicious transactions related to money laundering activities; or written procedural guidelines for meeting the reporting and recordkeeping requirements of the BSA regulations. In addition, examiners noted that the program lacked an effective system of internal controls to ensure ongoing compliance. Further, examiners noted that no formal auditing procedures were evidenced that would confirm the integrity and accuracy of the systems for reporting large currency transactions. The bank’s internal auditor did perform a limited review, but did not include a review of tellers’ work or independent testing of currency transactions. Audit procedures also were lacking for adherence to recordkeeping and/or retention requirements. As a result of this examination, the bank was cited in the violations section of the examination report only for an inadequate system of internal controls and various violations related to Treasury Department’s Part 103. The bank’s deficiencies related to the lack of independent testing did not result in the citation of an apparent violation. In a joint examination conducted in 1998, the institution was cited for a lack of independent testing, an inadequate system of internal controls, and a violation related to Treasury Department’s Part 103.

In a 2003 report of examination, examiners stated that the frequency of independent testing was inadequate and that the frequency of testing should be increased to monitor the integrity of internal controls and procedures and assure compliance with related regulations and bank policy. The report also described deficiencies related to an inadequate system of internal controls. The examiners recommended that both the manual cash log and the automated system be used to ensure CTRs were filed and that tellers received training on the sequencing of cash transactions. However, the bank was not cited for a lack of internal controls to address the identified deficiencies or a lack of independent testing. Although a BSA data entry form was attached to the back of the examination report, indicating a citation for the lack of independent testing, the violation was not included in the violations section of the examination report and did not appear in ViSION. The bank was cited only for one violation—failure to file CTRs.

DSC officials stated that banks are not required to conduct independent testing on an annual basis, although annual testing is recommended in DSC Guidelines for Monitoring Bank Secrecy Act Compliance, dated August 1, 1996. DSC officials stated that because Section 326.8(c) states that independent testing should be conducted by bank personnel or an outside party and does not specifically require “annual” testing, BSA weaknesses involving a lack of annual testing should not be cited as violations. DSC officials added that banks cannot violate “guidelines”—rather, violations should be cited for noncompliance of laws or regulations only. However, our review of examination reports indicated that examiners were not consistent in this area. When citing violations related to independent testing, the examiners sometimes stated in their reports that banks were required to perform annual testing and used the DSC’s guidelines rather than the regulations as the basis for citing such violations. DSC officials also stated that banks would not necessarily be cited for a violation of independent testing if at least some testing was being conducted; however, examiners did cite some violations when testing needed to be expanded.

DSC officials also stated that examination reports go through multiple levels of review. Specifically, officials stated that the reports of examination are reviewed at the field supervisory and case manager level, and by regional office management, who all have the opportunity to reclassify these deficiencies as violations if they think a case warrants such reclassification. In addition, DSC officials stated that examiners are expected to use their judgment in determining whether BSA deficiencies should be cited as violations. Officials added that examiners include these deficiencies in reports of examination as a means to bring those issues to bank management’s attention. Further, bank management is required to address not only the cited violations, but also weaknesses that are described in reports of examinations.

Handling of Violations Related to CTRs

We also noted variations in the handling of violations related to CTRs. While conducting examinations, examiners identified instances in which financial institutions had improperly exempted customers from currency transaction reporting requirements or otherwise failed to file CTRs in accordance with 31 C.F.R. Part 103. According to DSC Transmittal 1993-149, Extension of Filing Deadline for Currency Reports Filed Transaction on Magnetic Tape, dated October 14, 1993, CTRs must be filed with the IRS within 15 days following the date of the transaction (25 days if the financial institution files electronically). For those institutions that did not file CTRs within the specified timeframe, FinCEN requests that examiners have bank officials request permission to backfile CTRs. DSC regional offices did not handle violations related to the backfiling of CTRs in a consistent manner. Some offices required the institutions to request permission to backfile, while other offices allowed the institutions, in cases that involved one or two CTRs, to file without requesting permission to backfile.

Handling of Referrals to the Treasury Department

DSC referrals of bank violations to the Treasury Department were infrequent. According to information provided by the DSC, 34 referrals were made from January 1, 1997 to December 31, 2003, and 28 referrals (82 percent) were made by 1 DSC regional office. DSC officials added that since the FDIC reports summary information on BSA violations to the Treasury Department through ViSION, Treasury sometimes requests copies of applicable examination reports based on Treasury’s analysis of the violations. The following actions have resulted from the referrals made by the FDIC from January 1, 1997 through December 31, 2003

• 27 institutions received cautionary letters or letters of warning from the Treasury Department,
• 1 institution received a civil money penalty,
• 3 referrals were resolved by other means, and
• 3 referrals were still open.

The Treasury Department’s 1990 referral guidelines state that one of the reasons the guidelines were issued was that referrals had been made that were not significant enough to warrant penalties. Consequently, it may be advisable for DSC to discuss the referral guidelines with the Treasury Department and to request clarification. Treasury’s priorities and approaches to penalties for BSA violations may have changed since the guidelines were issued over 13 years ago.

Timeliness of Follow-up and Other Supervisory Actions

The timeliness of follow-up and other supervisory actions varied among the regional and area offices. The time period ranged from immediate (during the examination process) to over 5 years for bank management corrective action, FDIC verification of corrective action, or FDIC regulatory action. During the extended time frames, subsequent examinations determined that some previously cited BSA violations remained uncorrected even though bank management may have indicated it would take corrective action.

For 27 of the 41 financial institutions we reviewed, the examination reports or supplemental information provided by DSC showed that bank management promptly addressed certain BSA violations during the examinations or within a 12-month period after the examinations as noted below:

• Violations at 14 institutions related to the Treasury Department’s Part 103 only -- the financial recordkeeping and reporting requirements for CTRs and exemption status for specific customers;
• Violations at 4 institutions related to Treasury Department’s Part 103 and the FDIC’s Section 326.8.
• Violations at 4 institutions related to Treasury Department’s Part 103, the FDIC’s Section 326.8, and Section 353.3.
• Violations at 3 institutions related to the FDIC’s Rules and Regulations, Section 326.8 only.
• Violations at 2 institutions related to the Treasury Department’s Part 103 and the FDIC’s Rules and Regulations, Section 353.3.

In other cases, bank management did not take action to correct cited BSA violations within a 12-month period. In these cases, more than 1-5 years elapsed before bank management took corrective action or the FDIC took regulatory action to address the violations as shown in Table 3. These cases included violations cited for both Treasury’s Part 103 and the FDIC’s Rules and Regulations, Section 326.8 and Section 353.3.

DSC officials stated that follow-up on BSA violations often occurs at the next FDIC examination rather than between examinations. Although the FDIC can conduct visitations between regularly scheduled examinations, we identified only a few visitations based on information provided by the DSC that addressed BSA violations.

Generally, the FDIC alternated examinations of the sampled institutions with state regulatory agency examinations for those institutions. However, 45 of the 72 examination reports we reviewed from state regulatory agencies did not specifically address BSA compliance. Therefore, the FDIC could not rely on those examinations to determine whether bank management took corrective actions to address previously cited violations or to identify any new BSA violations. Consequently, follow-up by the FDIC on some previously cited BSA violations did not occur until the next FDIC examination, generally 24 to 36 months after the violations were initially identified.

The following examples illustrate inadequate follow-up on BSA violations and regulatory actions imposed and the timeliness of those actions.

• During a joint examination conducted in 1997, examiners identified significant deficiencies in the bank’s BSA policies and operating procedures. Examiners concluded that the bank’s BSA compliance program was inadequate and in immediate need of revision. The bank was cited for:

• failure to have an adequate written bank board of directors-approved BSA compliance program,
• lack of independent testing of BSA compliance,
• failure to designate individuals responsible for BSA compliance,
• failure to provide adequate BSA training—overall noncompliance with the FDIC’s Section 326.8 minimum requirements—and
• one violation related to Treasury’s Part 103.

The bank’s president promised to take corrective action necessary for the cited violations. At the 1999 examination, the bank was cited for having an inadequate system of internal controls and lack of independent testing. During the 2002 examination, the bank was cited for numerous violations of Treasury’s Part 103, an inadequate system of internal controls for BSA compliance, and SAR violations. FDIC officials stated that no follow-up visitation was conducted for this institution after the 1999 examination and that given the promise of corrective action by the bank president within 90 days of receipt of the report, as stated in the report of examination, further follow-up was apparently determined to be unnecessary. In 2003, however, the FDIC entered into a Memorandum of Understanding with the bank for various safety and soundness issues and BSA compliance concerns.

• During examinations conducted in 1997, 1999, and 2002, a bank was cited for violations related to the lack of independent testing of BSA compliance, failure to provide adequate BSA training, and violations related to the Treasury Department’s Part 103. However, no adequate bank corrective action or supervisory action was taken until after the 2002 examination. The FDIC issued a cease and desist order effective , 2002, more than 5 years after the violations were initially cited. Violations related to the lack of independent testing and failure to provide adequate BSA training were repeat violations during the 1999 and 2002 examinations. The DSC issued a cease and desist order on , 2002 which was terminated in 2002.



• During an examination conducted in 1998, a bank was cited for violations related to a lack of independent testing for BSA compliance and failure to designate individual(s) responsible for BSA compliance. Violations of lack of independent testing was cited again during the 2001 and 2003 examinations—three consecutive FDIC examinations. Supervisory action was not taken until 2003, when the FDIC, state regulatory authority, and the bank signed a memorandum of understanding to correct the BSA violations, more than 5 years after the violations were initially cited.



• During an 1998 examination, a bank was cited for violations related to the failure to file CTRs, failure to furnish information on CTRs, improper exemptions, and failure to develop or implement an adequate BSA compliance program. The next examination, conducted in 2001, cited the bank for: failure to follow identification procedures or failure to record identification method, untimely filing of CTRs or failure to retain CTRs for 5 years, failure to furnish information required in CTRs, and failure to develop or implement an adequate BSA compliance program. DSC officials stated that the violations cited in the 1998 examination and repeat violations cited in the 2001 examination triggered a supervisory response requiring a progress report from the bank and the on-site visitation conducted in 2001.

DSC conducted a follow-up visit in 2001 and cited the bank for continued violations for: failure to file CTRs for nonexempted transactions over $10,000, untimely filing of CTRs or failure to retain CTRs for 5 years, and failure to furnish information required in CTRs. The visitation showed that bank management’s documentation of BSA training efforts needed improvement, the scope of the independent review needed to be enhanced, and internal controls could be strengthened. The visitation also noted a couple of previously cited violations involving transactions prior to the 2001 examination that either had not been corrected or the bank had not retained evidence of correction. Further, the visitation identified new violations related to the failure to furnish information required in CTRs, no record at FinCEN of IRS receipt of CTRs, and untimely filings of CTRs or failure to retain CTRs for 5 years. Based on the progress report and the visitation, DSC concluded, however, that the bank was making a good faith effort to comply with BSA and deemed that no further supervisory efforts were necessary other than regular examinations.

In contrast to the previous examples, DSC took prompt action for an institution with similar violations. During a joint examination conducted in 2003 by the FDIC and the state regulatory agency, the examiner concluded that the bank’s BSA program was less than satisfactory and further stated that the bank was in apparent violation of virtually every requirement of Section 326.8 of the FDIC Rules and Regulations. The bank was cited for the following violations related to the Treasury Department’s Part 103, FDIC’s Section 326.8 and Section 353:

• failure to file CTRs for nonexempted transactions over $10,000;
• failure to treat multiple transactions totaling over $10,000 as a single transaction;
• failure to develop or implement an adequate BSA compliance program;
• failure to have adequate written board-approved BSA compliance program;
• inadequate system of internal controls for BSA compliance;
• lack of independent testing of BSA compliance;
• failure to designate individuals responsible for BSA compliance;
• failure to provide adequate BSA training; and
• various violations related to SARs.

Within 6 months after the examination, the FDIC issued a proposed cease and desist order. The bank responded with evidence that it had taken material steps to improve its BSA compliance. DSC conducted a visitation the following month to assess the bank’s progress and concluded that the bank had exerted considerable effort in addressing the violations but that additional effort was necessary to make the bank’s BSA program satisfactory. After the visitation, the DSC provided an MOU to the institution to address the remaining concerns. The MOU became effective in 2004.

As discussed previously, the DSC conducts examinations of its supervised institutions on a 12- or 18- month cycle and usually alternates examinations with state regulatory authorities. Since the state regulators do not usually review BSA compliance at their examinations, 2 to 3 years can elapse until the next FDIC examination without any follow-up on BSA violations. This delay in ensuring that BSA violations are corrected could result in additional or continued BSA violations and could hinder the detection of criminal activity.

CONCLUSION AND RECOMMENDATIONS

The DSC has adequately followed up on some BSA violations to ensure bank management has taken appropriate corrective action. However, the DSC could better ensure that prompt and effective actions are taken by bank management to ensure compliance with BSA regulations.

In light of the increased congressional interest in BSA compliance and emphasis on national security concerns, DSC should re-evaluate and update its examination guidance to help ensure adequate DSC follow-up and timely corrective action by bank management. DSC should also discuss and update the referral policy with the Treasury Department, encourage state coverage of BSA compliance, and develop alternative processes to compensate for the lack of state coverage of BSA compliance. We noted that DSC is currently conducting a reassessment of its BSA-related policies and procedures to update its BSA guidance and may be able to address our recommendations in conjunction with this assessment.

Recommendations

We recommend that the Director, DSC:

1. Re-evaluate and update examination guidance to strengthen monitoring and follow-up processes for BSA violations, including:

• prompt, appropriate, and consistent regulatory action in cases where management action is not timely, including cease and desist orders for repeat violations as appropriate;



• consistent and timely follow-up of BSA violations between examinations to ensure management is taking corrective action;



• consistent citation and recordation of all apparent violations in reports of examination and in ViSION; and



• a consistent approach to the backfiling of CTRs.

2. Review DSC’s implementation of the process for referring institution violations of BSA to the Treasury Department, and discuss with Treasury the need to update or modify the referral guidelines based on changes in priority and approach in recent years.



3. Coordinate with state regulatory agencies to cover BSA compliance in state examinations of FDIC-supervised institutions and for those states that do not cover BSA compliance, develop an alternative FDIC process to address BSA compliance when relying on alternating state examinations.

CORPORATION COMMENTS AND OIG EVALUATION

On March 22, 2004, the DSC Director provided a written response to the draft report. The response is presented in Appendix IX to this report. DSC concurred with the three recommendations. As part of its appended response, DSC provided a legal opinion by the FDIC General Counsel and an unaudited DSC internal assessment of its program to evaluate bank compliance with the BSA.

In addressing Congress’s intent in Section 8(s) of the FDI Act, which states that the appropriate federal banking “agency shall issue an order… requiring such depository institution to cease and desist from its violation” in cases of repeat violations of requirements for establishing and maintaining BSA procedures, the General Counsel’s legal opinion provides the following guidance:

The absence of a mandate to bring a cease and desist action to address every violation of Section 8(s) or the regulations does not imply that the alternative is to take no action. To the contrary, the statutory intent must be to take an appropriate corrective action based upon the severity of the problem, the risks it poses, and the bank’s willingness to comply expeditiously.

The audit, however, identified cases where DSC had not taken regulatory action to address repeat violations of these BSA requirements. We also observed numerous violations for which bank management indicated a willingness to take corrective actions to prevent recurrence of those violations. However, in several cases, corrective action either was not implemented or was implemented but was not effective in preventing repeat violations. In our opinion, a bank’s indicated willingness to correct violations should be only one factor considered in determining whether to impose regulatory action. This conclusion is also supported by the FDIC’s Formal and Informal Action Procedures Manual, which states that “The belief that the institution’s management has recognized the deficiencies and will institute corrective action is not a sufficient basis, in and of itself, to preclude taking corrective action.”

DSC’s response provided detailed analyses and comments on several issues that relate to DSC’s overall BSA program. Because our audit focused on supervisory actions taken in response to BSA violations, not DSC’s overall BSA program, we offer no response to these comments. However, in reviewing DSC’s other comments that relate generally to our audit and specifically to our audit results and scope, there are several issues that warranted further discussion and clarification.

General DSC Comments on Audit

1. DSC Statement:

“. . . the DSC’s approach has been to differentiate between serious BSA program problems within an institution versus isolated and technical weaknesses. In practice, isolated and technical weaknesses can be addressed within the normal course of supervisory process.”

OIG Response:

During this audit, DSC officials initially stated that they do not “. . . generally characterize BSA violations as either substantive or technical,” consistent with the “zero tolerance” policy espoused by the Treasury Department. Accordingly, we included in the universe for the selected sample all BSA violations recorded in ViSION. We based our analyses and conclusions on the premise that DSC’s approach to such violations would not differentiate between substantive and technical violations. After being provided the preliminary results of the audit, DSC then indicated that, in fact, it does differentiate between BSA violations based on significance, but could provide no basis upon which these determinations are made. Contrary to DSC’s assertion, for the sample of institutions we reviewed, we found little or no evidence to indicate that there was a distinction made among BSA violations in deciding whether or in what manner follow-up action would be taken.

2. DSC Statement:

“Therefore, we do not concur with the inference that the FDIC’s supervisory actions are materially lacking or that an increased risk of money laundering exists in the institutions for which we are the primary federal regulator.”

OIG Response:

We continue to conclude that the FDIC needs to strengthen its follow-up process for BSA violations, based on the following:

• Of the 41 institutions sampled, 27 institutions (66 percent) had repeat violations for multiple examinations; 17 (63 percent) of the 27 institutions did not have any type of regulatory action imposed.
• Of the 17 institutions for which no regulatory actions had been taken, 15 had repeat violations related to FDIC’s Section 326.8, which establishes the minimum requirements for a BSA compliance program.
• We reviewed 82 reports for the 41 sampled institutions. Twenty-five (30 percent) of the reports cited violations for which the DSC waited until the next examination to follow up. Additionally, in many cases, alternating examinations conducted by state regulatory agencies did not address BSA and/or did not follow up on previous violations cited in FDIC reports of examinations. For those states that do not assess BSA compliance, 2 to 3 years could elapse without BSA examination coverage for institutions in those states.
• DSC regional and field offices are inconsistent in deciding whether or when to follow up on BSA violations or to take regulatory action.
• Numerous reports of examination described deficient BSA compliance programs but did not cite violations, which we have concluded may receive less attention from bank management and from the DSC in its follow-up efforts.
• Inconsistencies exist among DSC regional offices in deciding how to handle violations related to the backfiling of CTRs.
• Inconsistencies exist among DSC regional offices in making referrals to the Treasury Department; of the 34 referrals made by the FDIC, 28 (82 percent) were made by 1 DSC regional office.
• All identified BSA violations have not been included and tracked in the FDIC’s automated system, ViSION, and as a result, not all BSA violations have been reported to the Treasury Department.

These problems, taken collectively, represent increased risk of illegal activity going undetected and unreported.

3. DSC Statement:

“In 38 of the 41 cases, we found the supervisory actions to be consistent with the problems identified and the risks posed by the circumstances.”

OIG response:

These 38 cases included 25 institutions with repeat violations and 13 institutions that did not have repeat violations. Of these 25 institutions with repeat violations, 15 institutions (60 percent) had been cited for violations of the FDIC’s Rules and Regulations Section 326.8, indicating noncompliant BSA programs for multiple examinations. Ten institutions (40 percent) had been cited for repeat violations related to either the Treasury Department’s Part 103 or the FDIC’s Section 353.3, indicating noncompliance with Treasury’s reporting and recordkeeping requirements related to CTRs or SARs. Many of these institutions with repeat violations were not subject to any regulatory action. In our opinion, regulatory action was appropriate under these circumstances.

4. DSC Statement:

“The OIG also did not look at supervisory actions taken in instances of serious BSA program deficiencies, analyze the risk for money laundering in the sample institutions, have discussions with examiners, or assess the BSA examination process.”

OIG response:

DSC has introduced matters that were not the subject of this audit. We selected a sample of institutions with BSA violations identified by FDIC examiners. We did not add to our sample those institutions for which DSC considered that it had done a good job of addressing BSA program deficiencies. Similarly, we did not alter our sample to focus on institutions that DSC now considers being at higher risk for illegal activities. There was no evidence to indicate that DSC had systematically analyzed the risks at our sample institutions. The documented risk analyses provided to us after our audit had started were not contemporaneously prepared with the BSA examinations performed. We did not include the entire BSA compliance examination program in the scope of our audit. Therefore, we did not interview examiners or review examination working papers. Those activities were not required to meet our audit objectives. Rather, we focused on actions taken on reported violations. During the audit, however, we did provide our analysis of BSA actions to DSC and requested DSC to address the questions we raised and provide its input on our preliminary findings. In doing so, we relied on DSC management to enlist appropriate staff, including examiners, in providing its responses and any additional evidence of supervisory actions for us to consider in reaching our conclusions.

5. DSC Statement:

“We do not concur with the OIG’s criticism that recommendations for improvement and the supporting discussion may be confused with apparent violations of the BSA.”

OIG Response:

The requirements for an adequate BSA compliance program based on the FDIC’s Rules and Regulations Section 326.8 are explicit. Each FDIC-supervised institution is required to develop and administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103. The institutions’ boards of directors must approve the compliance program in writing and in accordance with Section 326.8(c). The program should include four minimum requirements:

• a system of internal controls to assure ongoing compliance,
• independent testing for compliance with the BSA and 31 C.F.R. Part 103 to be conducted by bank personnel or an outside party,
• designation of individual(s) responsible for coordinating and monitoring compliance with the BSA, and
• training in BSA requirements for appropriate personnel.

Accordingly, our position is that institutions not meeting the minimum requirements specified by Section 326.8 do not have an adequate BSA compliance program and have violated the BSA. We noted cases in which FDIC examiners described deficiencies in institutions’ BSA compliance programs, including cases in which the programs did not meet the minimum requirements outlined in Section 326.8. However, the examiners did not specifically cite the deficiencies as BSA violations.

We continue to conclude that deficiencies described in the reports of examination, but not cited as violations in the Violations of Laws and Regulations section of the reports or recorded in ViSION, receive less attention from bank management and/or in follow-up by the DSC. Documentation provided by DSC on follow-up of examination results did not identify responses from bank management on deficiencies that were described but not cited as violations in reports of examination. In addition, we identified multiple examinations that described but did not cite violations, allowing them to continue for extended periods. In some cases, subsequent examinations cited the violation. We also noted that examiners were inconsistent in citing BSA violations – the same violations at different institutions were being treated dissimilarly for examination report purposes.

General Comments on Audit Results:

1. Our determination of the adequacy of follow-up for BSA violations that had been cited for the sampled institutions was based on the (1) timeliness of corrective action by bank management and/or follow-up by the FDIC and (2) effectiveness of follow-up in preventing repeat BSA violations. We continue to conclude that it is ineffective to wait for follow-up until subsequent examinations, especially when state regulatory agencies do not review BSA. In addition, we continue to conclude that BSA violations, particularly repeat violations, should be followed up in a timely, effective manner, regardless of an institution’s location, asset size, deposit base, familiarity with its customer base, stability of management and employee base, and number of reportable transactions. Delays or inadequate follow-up can send the wrong message to possible wrongdoers – that BSA violations receive less attention at certain types of institutions, such as those that do not fit DSC’s high-risk profile. Also, more serious consideration of other forms of regulatory action, up to and including cease and desist orders, is warranted.



2. DSC stated that our evaluation of the adequacy of follow-up for the 41 sampled institutions did not consider DSC’s categorization of “BSA/AML risk profiles” (BSA/anti-money laundering). However, according to DSC, the division did not have BSA risk-profile definitions and had no plans to define BSA risk profile(s). During the audit, DSC requested regional and area office officials to (1) evaluate BSA risk for the institutions included in our sample so that DSC could make an evaluation of each situation and (2) focus on the institutions that we identified as receiving less than “adequate” corrective action by the bank or follow-up by DSC personnel. In the regions’ efforts to evaluate each institution and in cases where the audit report identified deficiencies, DSC also asked the regions to assess the money-laundering vulnerability of each institution based on factors relevant to each institution and to the specific situations we identified. We concluded that those assessments were not prepared contemporaneously with the examinations, but were made only for the purpose of responding to our audit. Therefore, the assessments were not official management tools to assist in planning or conducting the examinations. However, in reviewing information DSC provided in its official written response relative to the BSA risk profiles, including whether the institutions were located in Metropolitan Statistical Areas (MSAs) and High Intensity Money Laundering and Related Financial Crime Areas (HIFCAs), we noted the following for the institutions for which regulatory actions had been taken by the DSC or initiated by state regulatory agencies:
   
   
   • Our review of the 41 sampled institutions identified 11 for which regulatory actions had been taken. Of these 11 institutions, 9 (80 percent) were not located in MSAs and 9 (80 percent) were not located in HIFCAs.
   
   
   
   • According to the examination reports that prompted regulatory action, four institutions had composite ratings of 2 and management ratings of 2. DSC considered three of the four institutions to have a “low” BSA risk profile. The remaining institution was located in an HIFCA.
   
   
   
   • According to the examination reports that prompted regulatory action, four institutions had composite ratings of 3 and management ratings of 3. One of the four institutions was considered by the DSC to have a “high” BSA risk profile. The remaining three institutions were not located in either an MSA or HIFCA.
   
   
   
   • According to the examination reports that prompted regulatory action, three institutions had composite ratings of 4 and management ratings of 3, 4, or 5.
   
   
   
   • The one institution with a 3 management rating was issued a cease and desist order; the institution was not located in either an MSA or HIFCA and had a “low” BSA risk profile according to DSC.
   • The institution with a 4 management rating was issued a memorandum of understanding and had a “moderate/low” BSA risk profile according to DSC.
   • The institution with a 5 management rating was issued a determination letter but had a “low” BSA risk profile according to DSC.
   
   
   Based on this analysis, neither the institution’s BSA risk profile nor its location in an MSA or HIFCA appeared to play a significant role in determining whether to impose actions against the institutions. Only 1 of the 11 institutions had a high BSA risk profile assigned by the DSC, and only 2 were located in HIFCAs. Additionally, actions were not imposed on three institutions with repeat BSA violations which DSC identified as having a “moderate” or “moderate/high” risk profile.



3. Our review of information provided by the DSC regarding referrals made to FinCEN for FDIC-supervised institutions showed that there were 208 referrals during the audit scope period of January 1, 1997 through September 30, 2003. Of those 208 referrals, DSC made only 34 referrals (16 percent), and the remaining referrals were made by other sources, such as FinCEN, the IRS, or the institutions themselves. As previously indicated, 28 of these 34 referrals were made by 1 of the 6 DSC regions.

General Comments on Audit Scope

1. We informed the DSC of our audit scope and methodology for achieving the audit objective. The objective was to review a sample of BSA violations for the audit scope period to determine whether DSC adequately follows up on BSA violations reported by examinations of FDIC-supervised financial institutions to ensure that institutions take appropriate corrective action. Accordingly, we limited the audit results and findings to issues specifically related to the agreed-upon audit objective. We based our conclusions on the FDIC’s automated system data, supplemental data provided by the DSC, and our review of reports of examination from both the Corporation and state regulatory agencies. The FDIC did not inform us until the end of our field work that it had identified inaccuracies in BSA data resident in its information systems resulting from the conversion from a prior system to ViSION. For the institutions in our sample, we verified the data used in this audit to the reports of examination and DSC’s supplemental data.



2. The banks which DSC referred to in its response as “inactive” became inactive more than 12 months after the examinations for which BSA violations had been cited. Accordingly, we did not delete those institutions from the sample selection. In addition, two other institutions referenced in DSC’s response had been deleted from our sample analyses and were not included in our findings and conclusions.



3. DSC’s comment that we did not request reports of examination for one of the sampled institutions is incorrect because we made a global request for all reports of examination associated with the institutions in our sample, including the FDIC's examination reports and those from state regulatory agencies.



4. DSC stated that the community banks it supervises have a strong inherent deterrent to money laundering because they operate in areas where bank management’s knowledge of customers is high, making criminal activity harder to disguise. This information is relevant to the examination and potentially to reporting BSA violations, but not to the pursuit of corrective action on known BSA violations. We did not assess how well management for the 41 sampled institutions knows their customers, but limited our assessment of BSA compliance to (1) results described in the examination reports and captured in ViSION and (2) information on the regulatory actions imposed for noncompliance.

During our audit, the FDIC did not have a corporate objective specifically related to BSA. However, in the course of preparing our final report, we became aware that such an objective recently had been established. The Corporation's final 2004 Corporate Performance Objectives, as approved by the FDIC Chairman, includes the following objective:

Implement revised examination and enforcement strategies/guidance, as appropriate, to address OIG/GAO [General Accounting Office] audit findings relating to the Bank Secrecy Act, anti-money laundering programs, and counter-terrorist financing. Develop and implement a communications strategy to facilitate industry understanding of newly implemented regulations in these areas.

We support this objective as a positive action on the part of the Corporation because the objective will prompt a concerted effort and focus attention on strengthening follow-up on reported BSA violations.

DSC Responses to OIG Recommendations

Presented below are DSC’s responses to the specific recommendations made in our audit. The recommendations are considered resolved, undispositioned, and open until the corrective actions are implemented.

Recommendation 1: Re-evaluate and update examination guidance to strengthen monitoring and follow-up processes for BSA violations, including:

• prompt, appropriate, and consistent regulatory action in cases where management action is not timely, including cease and desist orders for repeat violations as appropriate;
• consistent and timely follow-up of BSA violations between examinations to ensure management is taking corrective action;
• consistent citation and recordation of all apparent violations in reports of examination and in ViSION; and
• a consistent approach to the backfiling of CTRs.

DSC agreed with this recommendation. By March 30, 2005, and as part of current initiatives to revisit and update FDIC guidance and with inter-agency cooperation, the DSC will address formal supervisory actions, follow-up actions, citation of apparent violations and recordkeeping, and backfiling of CTRs. The DSC will also work with the FDIC Legal Division to clarify and update, as necessary, enforcement action guidance on BSA.

Recommendation 2: Review DSC’s implementation of the process for referring institution violations of BSA to the Treasury Department, and discuss with Treasury the need to update or modify the referral guidelines based on changes in priority and approach in recent years.

DSC agreed with the recommendation. By year-end 2004, the DSC representative to the Financial Crimes Enforcement Network’s Bank Secrecy Act Advisory Group will introduce the question raised on referral guidelines at an upcoming meeting of the group.

Recommendation 3: Coordinate with state regulatory agencies to cover BSA compliance in state examinations of FDIC-supervised institutions and for those states that do not cover BSA compliance, develop an alternative FDIC process to address BSA compliance when relying on alternating state examinations.

DSC agreed with this recommendation. DSC stated that it is focused on strengthening processes to address variations in the state examination coverage of BSA and believes this action will increase the consistency and reliability of the follow-up to its BSA examinations. DSC expects to complete its review and revisions to BSA guidelines and procedures for BSA coverage during state examinations by March 30, 2005.

APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The audit objective was to determine whether the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protection (DSC) adequately follows up on reported Bank Secrecy Act (BSA) violations to ensure that institutions take appropriate corrective action. To accomplish our objective, we reviewed supervisory actions that DSC has taken to ensure compliance, including efforts to follow up with bank management after examinations and the use of regulatory actions to prompt management action. We conducted the audit in accordance with generally accepted government auditing standards from November 2003 through January 2004.

Scope and Methodology

We held an entrance conference and conducted interviews with officials from DSC headquarters and DSC’s regional and area offices. In addition, we held periodic briefings with DSC officials and solicited their opinions and comments regarding the BSA violations and supervisory actions included in our review. We also interviewed officials in DSC’s Special Activities Section who are responsible, along with regional offices, for coordinating and monitoring DSC’s field and regional efforts for identifying, reporting, and tracking BSA violations and issuing related enforcement actions.

To gain an understanding of procedures that the DSC uses to determine compliance with the BSA, we reviewed the DSC Manual of Examination Policies, and various transmittals, directives, and guidelines issued by the FDIC or the Treasury Department. Further, we reviewed DSC memoranda to obtain an understanding of the processes and procedures used to identify, report, track, and follow up on BSA violations. We also interviewed officials responsible for the Virtual Supervisory Information On the Net system (ViSION), the automated system used by the DSC to compile information on BSA violations as well as to track these violations.

We also reviewed data from applicable FDIC automated systems; reviewed information from other sources, including FDIC and state reports of examination (ROEs); and analyzed DSC supplemental data, including information from FDIC correspondence files and data on the overall profile of financial institutions. To determine the number and type of BSA violations identified during DSC’s examinations of FDIC-supervised institutions from January 1, 1997 to September 30, 2003, we obtained and reviewed ViSION data that included the following:

• each institution’s certificate number, name, and location;



• dates of ROEs that reported BSA violations;



• BSA violation codes, descriptions, and numbers of occurrences; and



• types of violations (including repeat and nonrepeat violations).

Table 4 provides a synopsis of the ViSION data, by DSC regional and area offices.

Based on the ViSION data, we selected a random sample (Note: From the random sample of institutions with BSA violations, we judgmentally selected three institutions from each regional and area office for detailed review. We restricted the sample size to three rather than five due to the constricted time frame to complete the audit. The selection of those institutions for review was based strictly on the randomly generated numbers without giving any consideration for the institutions' violations recorded in ViSION or demographic information. We later made adjustments to the number of randomly selected institutions reviewed as shown in Table 5) from the universe of BSA violations and a judgment sample of repeat violations. Of the total 2,672 financial institutions for which BSA violations had been reported in ViSION, we reviewed 41 institutions in detail. The random sample consisted of 22 institutions selected from the 8 DSC regional or area offices, and the other 19 institutions consisted of a judgment sample of institutions with repeat violations. Of those 19 institutions, we confirmed that 18 had repeat violations. The random sample of 22 institutions also included 9 institutions with repeat violations so that, in total, 27 institutions with repeat violations were in our sample. Table 5 provides a breakdown of those 41 institutions, by FDIC office.

Our specific objectives in reviewing the sampled financial institutions were to determine:

• the types of BSA violations identified during examinations;



• the types of corrective actions that financial institution management implemented or the supervisory actions FDIC pursued for BSA violations;



• differences in the type of BSA violations and actions recorded in ViSION and in the ROEs; and



• whether enforcement actions were recorded in the FDIC’s Formal and Informal Action Tracking system (FIAT)(Note: FIAT is the FDIC’s system for tracking the status of informal supervisory actions and formal enforcement actions. In conjunction with reviewing information from FIAT, we also reviewed FDIC’s Formal and Informal Action Procedures Manual.) for BSA violations identified for the sampled institutions.

In addition, we requested that DSC provide all ROEs for the sampled 41 financial institutions for the period January 1, 1997 through September 30, 2003. Nine of those ROEs were not available for review, primarily for examinations conducted January 1, 1997 through December 31, 1999, because the ROEs either had been archived and were not retrieved or were state examination reports that had not been retained and, therefore, were not available. Because the FDIC and state regulatory agencies usually alternated examination responsibilities and may occasionally conduct joint examinations, we also requested and reviewed available state examination reports for the sampled financial institutions for the same period. We reviewed 200 ROEs—128 ROEs from the FDIC and 72 ROEs from state regulatory agencies.

To determine the number and type of regulatory actions related to BSA in general and specifically for our sampled institutions, we reviewed reports on formal and informal actions recorded in FIAT and supplemental information that DSC provided. We also discussed the FDIC’s position on the circumstances for which the FDIC might consider formal or informal actions for BSA violations.

We provided specific questions on the BSA violations to DSC officials and requested that they provide supplemental information on (1) related corrective actions taken by bank management or regulatory actions imposed by the FDIC and (2) follow-up activities conducted by the FDIC on those violations. For those institutions that were cited for BSA violations related to the filing of Currency Transaction Reports (CTR), we used the FDIC’s CTR Backfiling Request report for the period January 1, 1999, through September 30, 2003, in conjunction with supplemental information from DSC, to determine whether CTRs had been filed for the previously cited violations. Because DSC examiners were not required to track BSA violations related to Suspicious Activity Reports (SAR) in the FDIC’s ViSION system prior to October 2003, our review of SAR violations was limited to information obtained from ROEs provided to us for the sampled institutions.

Our verification of computer-processed data was limited to comparing data obtained from ViSION to data reported in the ROEs and DSC’s supplemental information. We identified inconsistencies in some of the ViSION data when compared to the ROEs and supplemental information. According to DSC officials, the March 2003 conversion from a prior system to ViSION may have led to incomplete records in ViSION for information predating the conversion, and system data entered prior to the conversion may not be fully complete or accurate because edit checks were less thorough in the previous system. To compensate for these inconsistencies, we based our observations on a pooling of the data available from multiple hardcopy and electronic sources and did not rely on any one source except in making our initial sample selection from the data in ViSION. However, we did not validate DSC’s assertions and there is a risk that our audit procedures may not have identified instances, if any, where violations were not included in the prior system and thus not reported to Treasury.

Management Controls Reviewed

We gained an understanding of the management control activities associated with the identification, reporting, and tracking of BSA violations by reviewing DSC’s policies and examination procedures and by performing limited testing of ViSION data. Additionally, we reviewed FDIC’s responsibilities as a financial institution supervisor related to the following:

• The Bank Secrecy Act of 1970, codified to 31 U.S.C. Section 5311 et seq. (BSA), also known as the Currency and Foreign Transactions Reporting Act.



• Code of Federal Regulations (C.F.R.), Title 31—Money and Finance; Subtitle B—Regulations Relating to Money and Finance; Chapter 1—Monetary Offices, Department of the Treasury; Part 103—Financial Recordkeeping and Reporting of Currency and Foreign Transactions, the BSA’s implementing regulations.



• Section 8(s) of the FDI Act, codified to 12 U.S.C. 1818(s), which requires each federal banking agency, including the FDIC, to (a) prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA, (b) review such procedures during their examinations of these institutions, and (c) enforce compliance with the BSA monetary transaction recordkeeping and report requirements.



• Section 326.8(b) of the FDIC’s Rules and Regulations, codified to 12 C.F.R. Section 326.8, which requires each FDIC-supervised institution to develop and administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103.



• The FDIC Rules and Regulations 12 C.F.R. Part 353 related to the filing of Suspicious Activity Reports.



• Title 12 U.S.C. 1829b, the recordkeeping requirements for insured financial institutions.

During our review, we identified actions that DSC could take to improve management controls over the corrective action process for BSA violations, as described under Results of Audit.

Government Performance and Results Act

We reviewed DSC’s performance measures under the Government Performance and Results Act, Public Law 103-62 (GPRA). We determined that the FDIC did not have a corporate performance objective specifically related to the BSA. However, according to the FDIC’s 2003 Annual Performance Plan and as shown in Table 6 on the next page, the FDIC has established the following strategic goal and objective and annual performance goals related to its supervision and examination responsibilities that include BSA in general.

Fraud and Illegal Acts

The limited nature of the audit objective did not require that we assess the possibility for fraud and illegal acts. Although we were alert to the possibility of fraud and illegal acts, no instances came to our attention.

Prior Audit Coverage

We reviewed the OIG’s audit report entitled Examination Assessment of Bank Secrecy Act Compliance (Audit Report Number 01-013, dated March 30, 2001) to obtain an understanding of previous OIG audit work related to the BSA. The objective of that audit was to determine the extent to which FDIC safety and soundness examinations reviewed institutions’ compliance with the BSA. As a result of that audit, the OIG recommended improvements in the FDIC’s documentation of work related to the BSA. FDIC officials generally concurred with the OIG’s recommendations and agreed to implement procedures or issue guidance to address the OIG’s concerns. We did not follow up on these recommendations or assess the adequacy of BSA examination procedures and documentation during this current audit.

In addition, we coordinated with the U.S. General Accounting Office to determine whether there were any previous or ongoing audits or reviews related to BSA violations by FDIC-supervised institutions and associated supervisory actions. We also reviewed the applicable section of the DSC Regional Office Review Program to determine whether regional office reviews cover BSA violations and BSA-related enforcement actions. Based on these actions, we determined that except for the FDIC OIG’s BSA-related report noted above, there was no prior or ongoing work related to the objective of this audit. In addition, we contacted the OIG Counsel’s office to obtain information related to statutory requirements and analysis of enforcement authority for the Treasury Department and the FDIC.

We also reviewed Treasury Department Web sites to obtain information on the BSA and a September 2003 report entitled OTS: Enforcement Actions Taken for Bank Secrecy Act Violations, which was prepared by the Treasury Department OIG on the Office of Thrift Supervision’s BSA enforcement.

During this audit, we did not do the following:

• Determine the adequacy of the examinations that identified the BSA violations.
  
  
• Review the underlying wo