BANK SECRECY ACT, ANTI-MONEY LAUNDERING,

AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1

INTRODUCTION TO THE BANK respectively, over the past several decades. Several of
SECRECY ACT these acts include:

The Financial Recordkeeping and Reporting of Currency • Money Laundering Control Act of 1986,
and Foreign Transactions Act of 1970 (31 U.S.C. 5311 et • Annuzio-Wylie Anti-Money Laundering Act of 1992,
seq.) is referred to as the Bank Secrecy Act (BSA). The • Money Laundering Suppression Act of 1994, and
purpose of the BSA is to require United States (U.S.) • Money Laundering and Financial Crimes Strategy Act
financial institutions to maintain appropriate records and of 1998.
file certain reports involving currency transactions and a
financial institution’s customer relationships. Currency Most recently, the Uniting and Strengthening America by
Transaction Reports (CTRs) and Suspicious Activity Providing Appropriate Tools Required to Intercept and
Reports (SARs) are the primary means used by banks to Obstruct Terrorism Act (more commonly known as the
satisfy the requirements of the BSA. The recordkeeping USA PATRIOT Act) was swiftly enacted by Congress in
regulations also include the requirement that a financial October 2001, primarily in response to the September 11,
institution’s records be sufficient to enable transactions and 2001 terrorist attacks on the U.S. The USA PATRIOT Act
activity in customer accounts to be reconstructed if established a host of new measures to prevent, detect, and
necessary. In doing so, a paper and audit trail is prosecute those involved in money laundering and terrorist
maintained. These records and reports have a high degree financing.
of usefulness in criminal, tax, or regulatory investigations
or proceedings.
FINANCIAL CRIMES ENFORCEMENT
The BSA consists of two parts: Title I Financial NETWORK REPORTING AND
Recordkeeping and Title II Reports of Currency and RECORDKEEPING REQUIREMENTS
Foreign Transactions. Title I authorizes the Secretary of
the Department of the Treasury (Treasury) to issue
regulations, which require insured financial institutions to Currency Transaction Reports
maintain certain records. Title II directed the Treasury to and Exemptions
prescribe regulations governing the reporting of certain
transactions by and through financial institutions in excess U.S. financial institutions must file a CTR, Financial
of $10,000 into, out of, and within the U.S. The Crimes Enforcement Network (FinCEN) Form 104
Treasury’s implementing regulations under the BSA, (formerly known as Internal Revenue Service [IRS] Form
issued within the provisions of 31 CFR Part 103, are 4789), for each currency transaction over $10,000. A
included in the FDIC’s Rules and Regulations and on the currency transaction is any transaction involving the
FDIC website. physical transfer of currency from one person to another
and covers deposits, withdrawals, exchanges, or transfers
The implementing regulations under the BSA were of currency or other payments. Currency is defined as
originally intended to aid investigations into an array of currency and coin of the U.S. or any other country as long
criminal activities, from income tax evasion to money as it is customarily accepted as money in the country of
laundering. In recent years, the reports and records issue.
prescribed by the BSA have also been utilized as tools for
investigating individuals suspected of engaging in illegal Multiple currency transactions shall be treated as a single
drug and terrorist financing activities. Law enforcement transaction if the financial institution has knowledge that
agencies have found CTRs to be extremely valuable in the transactions are by, or on behalf of, any person and
tracking the huge amounts of cash generated by individuals result in either cash in or cash out totaling more than
and entities for illicit purposes. SARs, used by financial $10,000 during any one business day. Transactions at all
institutions to report identified or suspected illicit or branches of a financial institution should be aggregated
unusual activities, are likewise extremely valuable to law when determining reportable multiple transactions.
enforcement agencies.
CTR Filing Requirements
Several acts and regulations expanding and strengthening
the scope and enforcement of the BSA, anti-money Customer and Transaction Information
laundering (AML) measures, and counter-terrorist
financing measures have been signed into law and issued, All CTRs required by 31 CFR 103.22 of the Financial
Recordkeeping and Reporting of Currency and Foreign

DSC Risk Management Manual of Examination Policies 8.1-1 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Transactions regulations must be filed with the IRS. transaction. PACS was launched in October 2002 and
Financial institutions are required to provide all requested permits secure filing of CTRs over the Internet using
information on the CTR, including the following for the encryption technology. Financial institutions can access
person conducting the transaction: PACS after applying for and receiving a digital certificate.

• Name, Examiners reviewing filed CTRs should inquire with

• Street address (a post office box number is not financial institution management regarding the manner in
acceptable), which CTRs are filed before evaluating the timeliness of
• Social security number (SSN) or taxpayer such filings. If for any reason a financial institution should
identification number (TIN) (for non-U.S. residents), withdraw from the magnetic tape program or the PACS
and program, or for any other reason file paper CTRs, those
• Date of birth. CTRs must be filed within the standard 15 day period
following the reportable transaction.
The documentation used to verify the identity of the
individual conducting the transaction should be specified. Exemptions from CTR Filing Requirements
Signature cards may be relied upon; however, the specific
documentation used to establish the person’s identity Certain “persons” who routinely use currency may be
should be noted. A mere notation that the customer is eligible for exemption from CTR filings. Exemptions were
“known to the financial institution” is insufficient. implemented to reduce the reporting burden and permit
Additional requested information includes the following: more efficient use of the filed records. Financial
institutions are not required to exempt customers, but are
• Account number, encouraged to do so. There are two types of exemptions,
• Social security number or taxpayer identification referred to as “Phase I” and “Phase II” exemptions.
number of the person or entity for whose account the
transaction is being conducted (should reflect all “Phase I” exemptions may be granted for the following
account holders for joint accounts), and “exempt persons”:
• Amount and kind of transaction (transactions
involving foreign currency should identify the country • A bank2, to the extent of its domestic operations;
of origin and report the U.S. dollar equivalent of the • A Federal, State, or local government agency or
foreign currency on the day of the transaction). department;
• Any entity exercising governmental authority within
The financial institution must provide a contact person, and the U.S. (U.S. includes District of Columbia,
the CTR must be signed by the preparer and an approving Territories, and Indian tribal lands);
official. Financial institutions can also file amendments on • Any listed entity other than a bank whose common
previously filed CTRs by using a new CTR form and stock or analogous equity interests are listed on the
checking the box that indicates an amendment. New York, American, or NASDAQ stock exchanges
(with some exceptions);
CTR Filing Deadlines • Any U.S. domestic subsidiary (other than a bank) of
any “listed entity” that is organized under U.S. law and
CTRs filed with the IRS are maintained in the FinCEN at least 51 percent of the subsidiary’s common stock is
database, which is made available to Federal Banking owned by the listed entity.
Agencies1 and law enforcement. Paper forms are to be
filed within 15 days following the date of the reportable “Phase II” exemptions may be granted for the following:
transaction. If CTRs are filed using magnetic media,
pursuant to an agreement between a financial institution • A “non-listed business,” which includes commercial
and the IRS, a financial institution must file a CTR within enterprises that do not have more than 50% of the
25 calendar days of the date of the reportable transaction. business gross revenues derived from certain ineligible
A third option is to file CTRs using the Patriot Act businesses. Gross revenue has been interpreted to
Communication System (PACS), which also allows up to reflect what a business actually earns from an activity
25 calendar days to file the CTR following the reportable conducted by the business, rather than the sales
volume of such activity. “Non-listed businesses” must
1
Federal Banking Agencies consist of the Federal Reserve Board (FRB),
Office of the Comptroller of the Currency (OCC), Office of Thrift
2
Supervision (OTS), National Credit Union Administration (NCUA), and Bank is defined in The U.S. Department of the Treasury (Treasury)
the FDIC. Regulation 31 CFR 103.11.

Bank Secrecy Act (12-04) 8.1-2 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
also be incorporated or organized under U.S. laws and • Pawn brokers;
be eligible to do business in the U.S. and may only be • Businesses that charter ships, aircraft, or buses;
exempted to the extent of its domestic operations. • Auction services;
• A “payroll customer,” which includes any other person • Entities involved in gaming of any kind (excluding
not covered under the “exempt person” definition that licensed para mutual betting at race tracks);
operates a firm that regularly withdraws more than • Trade union activities; and
$10,000 in order to pay its U.S. employees in • Any other activities as specified by FinCEN.
currency. “Payroll customers” must also be
incorporated and eligible to do business in the U.S. Additional Qualification Criteria for
“Payroll customers” may only be exempted on their Phase II Exemptions
withdrawals for payroll purposes from existing
transaction accounts. Both “non-listed businesses” and “payroll customers” must
meet the following additional criteria to be eligible for
Commercial transaction accounts of sole proprietorships “Phase II” exemption:
can qualify for “non-listed business” or “payroll customer”
exemption. • The entity has maintained a transaction account with
the financial institution for at least twelve consecutive
Exemption of Franchisees months;
• The entity engages in frequent currency transactions
Franchisees of listed corporations (or of their subsidiaries) that exceed $10,000 (or in the case of a “payroll
are not included within the definition of an “exempt customer,” regularly makes withdrawals of over
person” under "Phase I" unless such franchisees are $10,000 to pay U.S. employees in currency); and
independently exempt as listed corporations or listed • The entity is incorporated or organized under the laws
corporation subsidiaries. For example, a local corporation of the U.S. or a state, or registered as, and eligible to
that holds an ABC Corporation franchise is not a “Phase I” do business in the U.S. or state.
“exempt person” simply because ABC Corporation is a
listed corporation; however, it is possible that the local The financial institution may treat all of the customer’s
corporation may qualify for “Phase II” exemption as a transaction accounts at that financial institution as a single
“non-listed business,” assuming it meets all other account to qualify for exemption. There may be
exemption qualification requirements. An ABC exceptions to this rule if certain accounts are exclusively
Corporation outlet owned by ABC Corporation directly, on used for non-exempt portions of the business. (For
the other hand, would be a “Phase I” “exempt person” example, a small grocery with wire transfer services has a
because ABC Corporation's common stock is listed on the separate account just for its wire business).
New York Stock Exchange.
Accounts of multiple businesses owned by the same
Ineligible Businesses individual(s) are generally not eligible to be treated as a
single account. However, it may be necessary to treat such
There are several higher-risk businesses that may not be accounts as a single account if the financial institution has
exempted from CTR filings. The nature of these evidence that the corporate veil has been pierced. Such
businesses increases the likelihood that they can be used to evidence may include, but is not limited to:
facilitate money laundering and other illicit activities.
Ineligible businesses include:
• Businesses are operated out of the same location
and/or utilize the same phone number;
• Non-bank financial institutions or agents thereof (this
• Businesses are operated by the same daily
definition includes telegraph companies, and money
management and/or board of directors;
services businesses [currency exchange, check casher,
• Cash deposits or other banking transactions are
or issuer of monetary instruments in an amount greater
completed by the same individual at the same time for
than $1,000 to any person in one day]);
the different businesses;
• Purchasers or sellers of motor vehicles, vessels,
• Funds are frequently intermingled between accounts or
aircraft, farm equipment, or mobile homes;
there are unexplained transfers from one account to the
• Those engaged in the practice of law, medicine, or
other; or
accountancy;
• Business activities of the entities cannot be
• Investment advisors or investment bankers;
differentiated.
• Real estate brokerage, closing, or title insurance firms;

DSC Risk Management Manual of Examination Policies 8.1-3 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
More than one of these factors must typically be present in an “exempt person” as an agent for another person, who is
order to provide sufficient evidence that the corporate veil the beneficial owner of the funds involved in a transaction
has been pierced. in currency can not be exempted.

Transactions conducted by an “exempt person” as agent or Exemption forms for “Phase I” persons need to be filed
on behalf of another person are not eligible to be exempted only once. A financial institution that wants to exempt
based on being transacted by an “exempt person.” another financial institution from which it buys or sells
currency must be designated exempt by the close of the 30
Exemption Qualification Documentation Requirements day period beginning after the day of the first reportable
transaction in currency with the other financial institution.
Decisions to exempt any entity should be based on the Federal Reserve Banks are excluded from this requirement.
financial institution taking reasonable and prudent steps to
document the identification of the entity. The specific Exemption forms for “Phase II” persons need to be
methodology for performing this assessment is largely at renewed and filed every two years, assuming that the
the financial institution’s discretion; however, results of the “exempt person” continues to meet all exemption criteria,
review must be documented. For example, it is acceptable as verified and documented in the required annual review
to document that a stock is listed on a stock market by process discussed above. The filing must be made by
relying on a listing of exchange stock published in a March 15th of the second calendar year following the year
newspaper or by using publicly available information in which the initial exemption was granted, and by every
through the Securities and Exchange Commission (SEC). other March 15th thereafter. When filing a biennial
To document the subsidiary of a listed entity, a financial renewal of the exemption for these customers, the financial
institution may rely on authenticated corporate officer’s institution will need to indicate any change in ownership of
certificates or annual reports filed with the SEC. Annually, the business. Initial exemption of a “non-listed business”
management should also ensure that “Phase I” exempt or “payroll customer” must be made within 30 days after
persons remain eligible for exemption (for example, the day of the first reportable transaction in currency that
entities remain listed on National exchanges.) the financial institution wishes to include under the
exemption. Form TD F 90-22.53 can be also used to
For “non-listed businesses” and “payroll customers,” the revoke or amend an exemption.
financial institution will need to document that the entity
meets the qualifying criteria both at the time of the initial CTR Backfiling
exemption and annually thereafter. To perform the annual
reviews, the financial institution can verify and update the Examiners may determine that a financial institution has
information that it has in its files to document continued failed to file CTRs in accordance with 31 CFR 103, or has
eligibility for exemption. The financial institution must improperly exempted customers from CTR filings. In
also indicate that it has a system for monitoring the situations where an institution has failed to file a number of
transactions in the account for suspicious activity as it CTRs on reportable transactions for any reason, examiners
continues to be obligated to file Suspicious Activity should instruct management to promptly contact the IRS
Reports on activities of “exempt persons,” when Detroit Computing Center (IRS DCC), Compliance
appropriate. SARs are discussed in detail within the Review Group for instructions and guidance concerning
“Suspicious Activity Reporting” section of this chapter. the possible requirement to backfile CTRs for those
affected transactions. The IRS DCC will provide an initial
Designation of Exempt Person Filings and Renewals determination on whether CTRs should be backfiled in
those cases. Cases that involve substantial noncompliance
Both “Phase I” and “Phase II” exemptions are filed with with CTR filing requirements are referred to FinCEN for
FinCEN using Form TD F 90-22.53 - Designation of review. Upon review, FinCEN may correspond directly
Exempt Person. This form is available on the Internet at with the institution to discuss the program deficiencies that
FinCEN’s website. The designation must be made resulted in the institution’s failure to appropriately file a
separately by each financial institution that treats the CTR and the corrective action that management has
person in question as an exempt customer. This implemented to prevent further infractions.
designation requirement applies whether or not the
designee has previously been treated as exempt from the When a backfiling request is necessary, examiners should
CTR reporting requirements within 31 CFR 103. Again, direct financial institutions to write a letter to the IRS at the
the exemption applies only to transactions involving the IRS Detroit Computing Center, Compliance Review Group
“exempt person's” own funds. A transaction carried out by Attn: Backfiling, P.O. Box 32063, Detroit, Michigan,

Bank Secrecy Act (12-04) 8.1-4 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
48232-0063 that explains why CTRs were not filed. For financial institutions with a large volume of records,
Examiners should also provide the financial institution a three months or less may be more appropriate.
copy of the “Check List for CTR Filing Determination”
form available on the FDIC’s website. The financial Since variations in spellings of an individual’s name are
institution will need to complete this form and include it possible, accuracy of the TIN/SSN is essential in ensuring
with the letter to the IRS. accuracy of the information received from the FinCEN
database. To this end, examiners should also identify any
Once an institution has been instructed to contact IRS DCC situations where a financial institution is using more than
for a backfiling determination, examiners should notify one tax identification number to file their CTRs and/or
both their Regional Special Activities Case Manager SARs. To reduce the possibility of error in communicating
(SACM) or other designees and the Special Activities CTR and SAR information/verification requests, examiners
Section (SAS) in Washington, D.C. Specific contacts are are requested to e-mail or fax the request to their Regional
listed on the FDIC’s Intranet website. Requisite SACM or other designee.
information should be forwarded electronically via e-mail
to these contacts. Other FinCEN Reports
Currency and Banking Retrieval System Report of International Transportation of Currency or
Monetary Instruments
The Currency and Banking Retrieval System (CBRS) is a
database of CTRs, SARs, and CTR Exemptions filed with Treasury regulation 31 CFR 103.23 requires the filing of
the IRS. It is maintained at the IRS Detroit Computing FinCEN Form 105, formerly Form 4790, to comply with
Center. The SAS, as well as each Region’s SACM and other Treasury regulations and U.S. Customs disclosure
other designees, has on-line access to the CBRS. Refer to requirements involving physical transport, mailing or
your Regional Office for a full listing of those individuals shipping of currency or monetary instruments greater than
with access to the FinCEN database. $10,000 at one time out of or into the U.S. The report is to
be completed by or on behalf of the person requesting the
Examiners should routinely receive volume and trend transfer of the funds and filed within 15 days. However,
information on CTRs and SARs from their Regional financial institutions are not required to report these items
SACM or other designees for each examination or if they are mailed or shipped through the postal service or
visitation prior to the pre-planning process. In addition, by common carrier. Also excluded from reporting are
the database information may be used to verify CTR, SAR those items that are shipped to or received from the
and/or CTR Exemption filings. Detailed FinCEN database account of an established customer who maintains a
information may be used for expanded BSA reviews or in deposit relationship with the bank, provided the item
any unusual circumstances where examiners suspect certain amounts are commensurate with the customary conduct of
forms have not been filed by the financial institution, or business of the customer concerned.
where suspicious activity by individuals has been detected.
In situations where the quantity, dollar volume, and
Examiners should provide all of the following items they frequency of the currency and/or monetary instruments are
have available for each search request: not commensurate with the customary conduct of the
customer, financial institution management will need to
• The name of the subject of the search (financial conduct further documented research on the customer’s
institution and/or individual/entity); transactions and determine whether a SAR should be filed
• The subject's nine-digit TIN/SSN (in Part III of the with FinCEN. Please refer to the discussion on “Customer
CTR form if seeking information on the financial Due Diligence” and “Suspicious Activity Reporting”
institution and/or Part I of the CTR form if seeking within this chapter for detailed guidance.
information on the individual/entity); and
• The date range for which the information is requested. Reports of Foreign Bank Accounts

When requesting a download or listing of CTR and SAR Within 31 CFR 103.24, the Treasury requires each person
information, examiners should take into consideration the who has a financial interest in or signature authority, or
volume of CTRs and SARs filed by the financial institution other authority over any financial accounts, including bank,
under examination when determining the date range securities, or other types of financial accounts, maintained
requested. Except under unusual circumstances, the date in a foreign country to report those relationships to the IRS
range for full listings should be no greater than one year. annually if the aggregate value of the accounts exceeds

DSC Risk Management Manual of Examination Policies 8.1-5 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
$10,000 at any point during the calendar year. The report If the purchaser does not have a deposit account at the
should be filed by June 30 of the succeeding calendar year, financial institution, the following additional information
using Form TD F 90-22.1 available on the FinCEN must be obtained:
website. By definition, a foreign country includes all
locations outside the United States, Guam, Puerto Rico, the • Address of the purchaser (a post office box number is
Virgin Islands, the Northern Mariana Islands, American not acceptable);
Samoa, and Trust Territory of the Pacific Islands. U.S. • Social security number (or alien identification number)
military banking facilities are excluded. Foreign assets of the purchaser;
including securities issued by foreign corporations that are • Date of birth of the purchaser; and
held directly by a U.S. person, or through an account • Verification of the name and address with an
maintained with a U.S. office of a bank or other institution acceptable document (i.e. driver’s license).
are not subject to the BSA foreign account reporting
requirements. The bank is also not required to report The regulation requires that multiple purchases during one
international interbank transfer accounts (“nostro business day be aggregated and treated as one purchase.
accounts”) held by domestic banks. Also excluded are Purchases of different types of instruments at the same time
accounts held in a foreign financial institution in the name are treated as one purchase and the amounts should be
of, or on behalf of, a particular customer of the financial aggregated to determine if the total is $3,000 or more. In
institution, or that are used solely for the transactions of a addition, the financial institution should have procedures in
particular customer. Finally, an officer or employee of a place to identify multiple purchases of monetary
federally-insured depository institution branch, or agency instruments during one business day, and to aggregate this
office within the U.S. of a foreign bank that is subject to information from all of the bank branch offices.
the supervision of a Federal bank regulatory agency need
not report that he or she has signature or other authority If a customer first deposits the cash in a bank account, then
over a foreign bank, securities or other financial account purchases a monetary instrument(s), the transaction is still
maintained by such entities unless he or she has a personal subject to this regulatory requirement. The financial
financial interest in the account. institution is not required to maintain a log for these
transactions, but should have procedures in place to
FinCEN Recordkeeping Requirements recreate the transactions.

Required Records for Sales of Monetary Instruments The information required to be obtained under 31 CFR
for Cash 103.29 must be retained for a period of five years.

Treasury regulation 31 CFR 103.29 prohibits financial Funds Transfer and Travel Rule Requirements
institutions from issuing or selling monetary instruments
purchased with cash in amounts of $3,000 to $10,000, Treasury regulation 31 CFR Section 103.33 prescribes
inclusive, unless it obtains and records certain identifying information that must be obtained for funds transfers in the
information on the purchaser and specific transaction amount of $3,000 or more. There is a detailed discussion
information. Monetary instruments include bank checks, of the recordkeeping requirements and risks associated
bank drafts, cashier’s checks, money orders, and traveler’s with wire transfers within the “Banking Services and
checks. Furthermore, the identifying information of all Activities with Greater Potential for Money Laundering
purchasers must be verified. The following information and Terrorist Financing Vulnerabilities” discussion within
must be obtained from a purchaser who has a deposit this chapter.
account at the financial institution:
Records to be Made and Retained by Financial
• Purchaser’s name; Institutions
• Date of purchase;
• Type(s) of instrument(s) purchased; Treasury regulation 31 CFR 103.33 states that each
• Serial number(s) of each of the instrument(s) financial institution must retain either the original or a
purchased; and microfilm or other copy/reproduction of each of the
• Amounts in dollars of each of the instrument(s) following:
purchased.
• A record of each extension of credit in an amount in
excess of $10,000, except an extension of credit
secured by an interest in real property. The record

Bank Secrecy Act (12-04) 8.1-6 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
must contain the name and address of the borrower, document. If no record is made in the ordinary course of
the loan amount, the nature or purpose of the loan, and business of any transaction with respect to which records
the date the loan was made. The stated purpose can be are required to be retained, then such a record shall be
very general such as a passbook loan, personal loan, or prepared in writing by the financial institution.
business loan. However, financial institutions should
be encouraged to be as specific as possible when
stating the loan purpose. Additionally, the purpose of CUSTOMER IDENTIFICATION
a renewal, refinancing, or consolidation is not required PROGRAM
as long as the original purpose has not changed and
the original statement of purpose is retained for a Section 326 of the USA PATRIOT Act, which is
period of five years after the renewal, refinancing or implemented by 31 CFR 103.121, requires banks, savings
consolidation has been paid out. associations, credit unions, and certain non-federally
• A record of each advice, request, or instruction regulated banks to implement a written Customer
received or given regarding any transaction resulting Identification Program (CIP) appropriate for its size and
in the transfer of currency or other monetary type of business. For Section 326, the definition of
instruments, funds, checks, investment securities, or financial institution encompasses a variety of entities,
credit, of more than $10,000 to or from any person, including banks, agencies and branches of foreign banks in
account, or place outside the U.S. This requirement the U.S., thrifts, credit unions, private banks, trust
also applies to transactions later canceled if such a companies, investment companies, brokers and dealers in
record is normally made. securities, futures commission merchants, insurance
companies, travel agents, pawnbrokers, dealers in precious
Required Records for Deposit Accounts metals, check cashers, casinos, and telegraph companies,
among many others identified at 31 USC 5312(a)(2) and
Treasury regulation 31 CFR 103.34 requires banking (c)(1)(A). As of October 1, 2003, all institutions and their
institutions to obtain and retain a social security number or operating subsidiaries must have in place a CIP pursuant to
taxpayer identification number for each deposit account Treasury regulation 31 CFR 103.121.
opened after June 30, 1972, and before October 1, 2003.
The same information must be obtained for each certificate The CIP rules do not apply to a financial institution’s
of deposit sold or redeemed after May 31, 1978, and foreign subsidiaries. However, financial institutions are
before October 1, 2003. The banking institution must encouraged to implement an effective CIP throughout their
make a reasonable effort to obtain the identification operations, including their foreign offices, except to the
number within 30 days after opening the account, but will extent that the requirements of the rule would conflict with
not be held in violation of the regulation if it maintains a local law.
list of the names, addresses, and account numbers of those
customers from whom it has been unable to secure an
identification number. Where a person is a nonresident Applicability of CIP Regulation
alien, the banking institution shall also record the person's
passport number or a description of some other The CIP rules apply to banks, as defined in 31 CFR
government document used to verify his/her identity. 103.11 that are subject to regulation by a Federal Banking
Agency and to any non-Federally-insured credit union,
Furthermore, 31 CFR 103.34 generally requires banks to private bank or trust company that does not have a Federal
maintain records of items needed to reconstruct transaction functional regulator. Entities that are regulated by the U.S.
accounts and other receipts or remittances of funds through Securities and Exchange Commission (SEC) and the
a bank. Specific details of these requirements are in the Commodity Futures Trading Commission (CFTC) are
regulation. subject to separate rulemakings. It is intended that the
effect of all of these rules be uniform throughout the
Record Retention Period and Nature of Records financial services industry.

All records required by the regulation shall be retained for CIP Requirements
five years. Records may be kept in paper or electronic
form. Microfilm, microfiche or other commonly accepted 31 CFR 103.121 requires a bank to develop and
forms of records are acceptable as long as they are implement a written, board-approved CIP, appropriate for
accessible within a reasonable period of time. The record its size and type of business that includes, at a minimum,
should be able to show both the front and back of each procedures for:

DSC Risk Management Manual of Examination Policies 8.1-7 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
definitions are provided for the terms person, customer,
• Verifying a customer’s true identity to the extent and account. Both bank management and examiners must
reasonable and practicable and defining the properly understand these terms in order to effectively
methodologies to be used in the verification process; implement and assess compliance with CIP regulations,
• Collecting specific identifying information from each respectively.
customer when opening an account;
• Responding to circumstances and defining actions to Person
be taken when a customer’s true identity cannot be
appropriately verified with “reasonable belief;” A person is generally an individual or other legal entity
• Maintaining appropriate records during the collection (such as registered corporations, partnerships, and trusts).
and verification of a customer’s identity;
• Verifying a customer’s name against specified terrorist Customer
lists; and
• Providing customers with adequate notice that the A customer is generally defined as any of the following:
bank is requesting identification to verify their
identities. • A person that opens a new account (account is
defined further within the discussion of CIP
While not required, a bank may also include procedures definitions);
for: • An individual acting with “power of attorney”(POA)3
who opens a new account to be owned by or for the
• Specifying when it will rely on another financial benefit of a person lacking legal capacity, such as a
institution (including an affiliate) to perform some or minor;
all of the elements of the CIP. • An individual who opens an account for an entity that
is not a legal person, such as a civic club or sports
Additionally, 31 CFR 103.121 provides that a bank with a boosters;
Federal functional regulator must formally incorporate its • An individual added to an existing account or one
CIP into its written board-approved anti-money laundering who assumes an existing debt at the bank; or
program. The FDIC expanded Section 326.8 of its Rules • A deposit broker who brings new customers to the
and Regulations to require each FDIC-supervised bank (as discussed in detail later within this section).
institution to implement a CIP that complies with 31 CFR
103.121 and incorporate such CIP into a bank’s written The definition of customer excludes:
board-approved BSA compliance program (with evidence
of such approval noted in the board meeting minutes). • A financial institution regulated by a Federal Banking
Consequently, a bank must specifically provide: Agency or a bank regulated by a State bank regulator4;
• A department or agency of the U.S. Government, of
• Internal policies, procedures, and controls; any state, or of any political subdivision of any state;
• Designation of a compliance officer; • Any entity established under the laws of the U.S., of
• Ongoing employee training programs; and any state, or of any political subdivision of any state,
• An independent audit function to test program. or under an interstate compact between two or more
states, that exercises governmental authority on behalf
The slight difference in wording between the Treasury’s of the U.S. or any such state or political subdivision
and FDIC’s regulations regarding incorporation of a bank’s (U.S. includes District of Columbia and Indian tribal
CIP within its anti-money laundering program and BSA lands and governments); or
compliance program, respectively, was not intended to
create duplicative requirements. Therefore, an FDIC-
regulated bank must include its CIP within its anti-money 3
If a POA individual opens an account for another individual with legal
laundering program and the latter included under the capacity or for a legal entity, then the customer is still the account
“umbrella” of its overall BSA/AML program. holder. In this case, the POA is an agent acting on behalf of the person
that opens the account and the CIP must still cover the account holder
CIP Definitions (unless the person lacks legal capacity).

4
As discussed above, both Section 326 of the USA The IRS is not a Federal functional regulator. Consequently, money
service businesses, such as check cashers and wire transmitters that are
PATRIOT Act and 31 CFR 103.121 specifically define the regulated by the IRS are not exempted from the definition of customer for
terms financial institution and bank. Similarly, specific CIP purposes.

Bank Secrecy Act (12-04) 8.1-8 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Any entity, other than a bank, whose common stock or • Cash management, custodian, and trust services; or
analogous equity interests are listed on the New York • Any other type of formal, ongoing banking
or American Stock Exchanges or whose common relationship.
stock or analogous equity interests have been
designated as a NASDAQ National Market Security The definition of account specifically excludes the
listed on the NASDAQ Stock Market (except stock or following:
interests listed under the separate "NASDAQ Small-
Cap Issues" heading). A listed company is exempted • Product or service where a formal banking relationship
from the definition of customer only for its domestic is NOT established with a person. Thus CIP is not
operations. intended for infrequent transactions and activities
(already covered under other recordkeeping
The definition of customer also excludes a person who requirements within 31 CFR 103) such as:
has an existing account with a bank, provided that the bank o Check cashing,
has a “reasonable belief” that it knows the true identity of o Wire transfers,
the person. So, if the person were to open an additional o Sales of checks,
account, or renew or roll over an existing account, CIP o Sales of money orders;
procedures would not be required. A bank can • Accounts acquired through an acquisition, merger,
demonstrate that is has a “reasonable belief” that it knows purchase of assets, or assumption of liabilities (as
the identity of an existing customer by: these “new” accounts were not initiated by
customers);5 and
• Demonstrating that it had similar procedures in place • Accounts opened for the purpose of participating in an
to verify the identity of persons prior to the effective employee benefit plan established under the Employee
date of the CIP rule. (An “affidavit of identity” by a Retirement Income Security Act of 1974 (ERISA).
bank officer is not acceptable for demonstrating
“reasonable belief.”) Furthermore, the CIP requirements do not apply to a
• Providing a history of account statements sent to the person who does not receive banking services, such as a
person. person who applies for a loan but has his/her application
• Maintaining account information sent to the IRS denied. The account in this circumstance is only opened
regarding the person’s accounts accompanied by IRS when the bank enters into an enforceable agreement to
replies that contain no negative comments. provide a loan to the person (who therefore also
• Providing evidence of loans made and repaid, or other simultaneously becomes a customer).
services performed for the person over a period of
time. Collecting Required Customer Identifying Information

These actions may not be sufficient for existing account The CIP must contain account opening procedures that
holders deemed to be high risk. For example, in the specify the identifying information obtained from each
situation of an import/export business where the identifying customer prior to opening the account. The minimum
information on file only includes a number from a passport required information includes:
marked as a duplicate with no additional business
information on file, the bank should follow all of the CIP • Name.
requirements provided in 31 CFR 103.121 since it does not • Date of birth, for an individual.
have sufficient information to show a “reasonable belief”
of the true identity of the existing account holder.

Account 5
Accounts acquired by purchase of assets from a third party are
excluded from the CIP regulations, provided the purchase was not made
An account is defined as a formal, ongoing banking under an agency in place or exclusive sale arrangement, where the bank
relationship established to provide or engage in services, has final approval of the credit. If under an agency arrangement, the
dealings, or other financial transactions including: bank may rely on the agent third party to perform the bank’s CIP, but it
must ensure that the agent is performing the bank’s CIP program. For
example, a pool of auto loans purchased from an auto dealer after the
• Deposit accounts; loans have already been made would not be subject to the CIP
• Transaction or asset accounts ; regulations. However, if the bank is directly extending credit to the
borrower and is using the car dealer as its agent to gather information,
• Credit accounts, or any other extension of credit; then the bank must ensure that the dealer is performing the bank’s CIP.
• Safety deposit box or other safekeeping services;

DSC Risk Management Manual of Examination Policies 8.1-9 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Physical address6, which shall be: customer prior to opening an account in the case of credit
o for an individual, a residential or business card accounts. A bank may obtain identifying information
street address (An individual who does not (such as TIN) from a third-party source prior to extending
have a physical address may provide an Army credit to the customer.
Post Office [APO] or a Fleet Post Office
[FPO] box number, or the residential or Verifying Customer Identity Information
business street address of next of kin or of
another contact individual. Using the box The CIP should rely on a risk-focused approach when
number on a rural route is acceptable developing procedures for verifying the identity of each
description of the physical location customer to the extent reasonable and practicable. A bank
requirement.) need not establish the accuracy of every element of
o for a person other than an individual (such as identifying information obtained in the account opening
corporations, partnerships, and trusts), a process, but must do so for enough information to form a
principal place of business, local office, or “reasonable belief” that it knows the true identity of each
other physical location. customer. At a minimum, the risk-focused procedures
• Identification number including a SSN, TIN, must be based on, but not limited to, the following factors:
Individual Tax Identification Number (ITIN), or
Employer Identification Number (EIN). • Risks presented by the various types of accounts
offered by the bank;
For non-U.S. persons, the bank must obtain one or more of • Various methods of opening accounts provided by the
the following identification numbers: bank;
• Various sources and types of identifying information
• Customer’s TIN, available; and
• Passport number and country of issuance, • The bank’s size, location, and customer base.
• Alien identification card number, and
• Number and country of issuance of any other (foreign) Furthermore, a bank’s CIP procedures must describe when
government-issued document evidencing nationality or the bank will use documentary verification methods,
residence and bearing a photograph or similar non-documentary verification methods, or a
safeguard. combination of both methods.

When opening an account for a foreign business or Documentary Verification

enterprise that does not have an identification number, the
bank must request alternative government-issued The CIP must contain procedures that set forth the specific
documentation certifying the existence of the business or documents that the bank will use. For an individual, the
enterprise. documents may include:

Exceptions to Required Customer Identifying • Unexpired government-issued identification

Information evidencing nationality or residence, and bearing a
photograph or similar safeguard, such as a driver’s
The bank may develop, include, and follow CIP procedures license or passport.
for a customer who at the time of account opening, has
applied for, but has not yet received, a TIN. However, the For a person other than an individual (such as a
CIP must include procedures to confirm that the corporation, partnership, or trust), the documents may
application was filed before the customer opens the include:
account and procedures to obtain the TIN within a
reasonable period of time after the account is opened. • Documents showing the existence of the entity, such as
certified articles of incorporation, a government-issued
There is also an exception to the requirement that a bank business license, a partnership agreement, trust
obtain the above-listed identifying information from the instrument, a certificate of good standing, or a
business resolution.
6
The bank MUST obtain a physical address: a P.O. Box alone is NOT
acceptable. Collection of a P.O. Box address and/or alternate mailing Non-Documentary Verification
address is optional and potentially very useful as part of the bank’s
Customer Due Diligence (CDD) program.

Bank Secrecy Act (12-04) 8.1-10 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Banks are not required to use non-documentary methods to beneficiaries, principals, and guarantors. As previously
verify a customer’s identity. However, if a bank chooses to stated, a risk-focused approach should be applied to verify
do so, a description of the approved non-documentary customer accounts. For example, in the case of a well-
methods must be incorporated in the CIP. Such methods known firm, company information and verification could
may include: be sufficient without obtaining and verifying identity
information for all signatories. However, in the case of a
• Contacting the customer, relatively new or unknown firm, it would be in the bank’s
• Checking references with other financial institution, best interest to obtain and verify a greater volume of
• Obtaining a financial statement, and information on signatories and other individuals with
• Independently verifying the customer’s identity control or authority over the firm’s account.
through the comparison of information provided by
the customer with information obtained from Inability to Verify Customer Identity Information
consumer reporting agencies (for example, Experian,
Equifax, TransUnion, Chexsystems), public databases The CIP must include procedures for responding to
(for example, Lexis, Dunn and Bradstreet), or other circumstances in which the bank cannot form a reasonable
sources (for example, utility bills, phone books, voter belief that it knows the true identity of a customer. These
registration bills). procedures should describe, at a minimum, the following:

The bank’s non-documentary procedures must address • Circumstances when the bank should not open an
situations such as: account;
• The terms or limits under which a customer may use
• The inability of a customer to present an unexpired an account while the bank attempts to verify the
government-issued identification document that bears customer’s identity (for example, minimal or no
a photograph or similar safeguard; funding on credit cards, holds on deposits, limits on
• Unfamiliarity on the bank’s part with the documents wire transfers);
presented; • Situations when an account should be closed after
• Accounts opened without obtaining documents; attempts to verify a customer’s identity have failed;
• Accounts opened without the customer appearing in and
person at the bank (for example, accounts opened • Conditions for filing a SAR in accordance with
through the mail or over the Internet); and applicable laws and regulations.
• Circumstances increasing the risk that the bank will be
unable to verify the true identity of a customer through Recordkeeping Requirements
documents.
The bank’s CIP must include recordkeeping procedures
Many of the risks presented by these situations can be for:
mitigated. A bank that accepts items that are considered
secondary forms of identification, such as utility bills and • Any document that was relied upon to verify identity
college ID cards, is encouraged to review more than a noting the type of document, the identification
single document to ensure that it has formed a “reasonable number, the place of issuance, and, if any, the dates of
belief” of the customer’s true identity. Furthermore, in issuance and expiration;
instances when an account is opened over the Internet, a • The method and results of any measures undertaken to
bank may be able to obtain an electronic credential, such as perform non-documentary verification procedures; and
a digital certificate, as one of the methods it uses to verify a • The results of any substantive discrepancy discovered
customer’s identity. when verifying the identifying information obtained.

Additional Verification Procedures for Customers Banks are not required to make and retain photocopies of
(Non-Individuals) any documents used in the verification process. However,
if a bank does choose to do so, it must ensure that these
The CIP must address situations where, based on a risk photocopies are physically secured to adequately protect
assessment of a new account that is opened by a customer against possible identity theft. In addition, such
that is not an individual, the bank will obtain information photocopies should not be maintained with files and
about individuals with authority or control over such documentation relating to credit decisions in order to avoid
accounts, in order to verify the customer’s identity. These any potential problems with consumer compliance
individuals could include such parties as signatories, regulations.

DSC Risk Management Manual of Examination Policies 8.1-11 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
owners; however, this may be accomplished by providing
Required Retention Period notice to one owner for delivery to the other owners.

All required customer identifying information obtained in Reliance on Another Financial Institution’s CIP
the account opening process must be retained for five years
after the account is closed, or in the case of credit card A bank may develop and implement procedures for relying
accounts, five years after the account is closed or becomes on another financial institution for the performance of CIP
dormant. The other “required records” (descriptions of procedures, yet the CIPs at both entities do not have to be
documentary and non-documentary verification procedures identical. The reliance can be used with respect to any
and any descriptions of substantive discrepancy resolution) bank customer that is opening or has opened an account or
must be retained for five years after the record is made. If similar formal relationship with the relied-upon financial
several accounts are opened at a bank for a customer institution. Additionally, the following requirements must
simultaneously, all of the required customer identifying be met:
information obtained in the account opening process must
be retained for five years after the last account is closed, or • Reliance is reasonable, under the circumstances;
in the case of credit card accounts, five years after the last • The relied-upon financial institution (including an
account is closed or becomes dormant. As in the case of a affiliate) is subject to the same anti-money laundering
single account, all other “required records” must be kept program requirements as a bank, and is regulated by a
for five years after the records are made. Federal functional regulator (as previously defined);
and
Comparison with Government Lists of Known or • A signed contract exists between the two entities that
Suspected Terrorists requires the relied-upon financial institution to certify
annually that it has implemented its anti-money
The CIP must include procedures for determining whether laundering program, and that it will perform (or its
the customer appears on any list of known or suspected agent will perform) the specified requirements of the
terrorists or terrorist organizations issued by any Federal bank’s CIP.
government agency and designated as such by the Treasury
in consultation with the other Federal functional regulators. To strengthen such an arrangement, the signed contract
should include a provision permitting the bank to have
The comparison procedures must be performed and a access to the relied-upon institution’s annual independent
determination made within a reasonable period of time review of its CIP.
after the account is opened, or earlier, as required and
directed by the issuing agency. Since the USA PATRIOT Deposit Broker Activity
Act Section 314(a) Requests, discussed in detail under the
heading entitled “Special Information Sharing Procedures The use of deposit brokers is a common funding
to Deter Money Laundering and Terrorist Activities,” are mechanism for many financial institutions. This activity is
one-time only searches, they are not applicable to the CIP. considered higher risk because each deposit broker
operates under its own operating guidelines to bring
Adequate Customer Notice customers to a bank. Consequently, the deposit broker
may not be performing sufficient Customer Due Diligence
The CIP must include procedures for providing customers (CDD), Office of Foreign Assets Control (OFAC)
with adequate notice that the bank is requesting screening (refer to the detailed OFAC discussion provided
information to verify their identities. This notice must elsewhere within this chapter), or CIP procedures. The
indicate that the institution is collecting, verifying, and bank accepting brokered deposits relies upon the deposit
recording the customer identity information as outlined in broker to have sufficiently performed all required account
the CIP regulations. Furthermore, the customer notice opening procedures and to have followed all BSA and
must be provided prior to account opening, with the AML program requirements.
general belief that it will be clearly read and understood.
This notice may be posted on a lobby sign, included on the Deposit Broker is Customer
bank’s website, provided orally, or disclosed in writing (for
example, account application or separate disclosure form). Regulations contained in 31 CFR 103.121 specifically
The regulation provides sample language that may be used defines the term customer as a person (individual,
for providing adequate customer notice. In the case of registered corporation, partnership, or trust). Therefore,
joint accounts, the notice must be provided to all joint according to this definition, if a deposit broker opens an

Bank Secrecy Act (12-04) 8.1-12 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
account(s), the customer is the deposit broker NOT the Banks doing business with deposit brokers are encouraged
deposit broker’s clients. to include contractual requirements for the deposit broker
to establish and conduct procedures for minimum CIP,
Deposit Broker’s CIP CDD, and OFAC screening.

Deposit brokers must follow their own CIP requirements Finally, the bank should monitor brokered deposit activity
for their customers. If the deposit broker is registered with for unusual activity, including cash transactions,
the SEC, then it is required to follow the same general CIP structuring, and funds transfer activity. Monitoring
requirements as banking institutions and is periodically procedures should identify any “red flags” suggesting that
examined by the SEC for compliance. However, if the the deposit broker’s customers (the ultimate customers) are
deposit broker does not come under the SEC’s jurisdiction, trying to conceal their true identities and/or their source of
they may not be following any due diligence laws or wealth and funds.
guidelines.
Additional Guidance on CIP Regulations
As such, banks accepting deposit broker accounts should
establish policies and procedures regarding the brokered Comprehensive guidance regarding CIP regulations and
deposits. Policies should establish minimum due diligence related examination procedures can be found within FDIC
procedures for all deposit brokers providing business to the FIL 90-2004, Guidance on Customer Identification
bank. The level of due diligence a bank performs should Programs. On January 9, 2004, the Treasury, FinCEN, and
be commensurate with its knowledge of the deposit broker the Federal Financial Institutions Examination Council
and the broker’s known business practices. (FFIEC) regulatory agencies issued joint interpretive
guidance addressing frequently asked questions (FAQs)
Banks should conduct enhanced due diligence on relating to CIP requirements in FIL-4-2004. Additional
unknown and/or unregulated deposit brokers. For information regarding CIP can be found on the FinCEN
protection, the bank should determine that the: website.

• Deposit broker is legitimate;

• Deposit broker is following appropriate guidance SPECIAL INFORMATION SHARING
and/or regulations;
PROCEDURES TO DETER MONEY
• Deposit broker’s policies and procedures are
sufficient; LAUNDERING AND TERRORIST
• Deposit broker has adequate CIP verification ACTIVITIES
procedures;
• Deposit broker screens clients for OFAC matches; Section 314 of the USA PATRIOT Act covers special
• BSA/OFAC audit reviews are adequate and show information sharing procedures to deter money laundering
compliance with requirements; and and terrorist activities. These are the only two categories
• Bank management is aware of the deposit broker’s that apply under Section 314 information sharing; no
anticipated volume and transaction type. information concerning other suspicious or criminal
activities can be shared under the provisions of Section 314
Special care should be taken with deposit brokers who: of the USA PATRIOT Act. Final regulations of the
following two rules issued on March 4, 2002, became
• Are previously unknown to the bank; effective on September 26, 2002:
• Conduct business or obtain deposits primarily in
another country; • Section 314(a), codified into 31 CFR 103.100,
• Use unknown or hard-to-contact businesses and banks requires mandatory information sharing between the
for references; U.S. Government (FinCEN, Federal law enforcement
• Provide other services which may be suspect, such as agencies, and Federal Banking Agencies) and financial
creating shell corporations for foreign clients; institutions.
• Advertise their own deposit rates, which vary widely • Section 314(b), codified into 31 CFR 103.110,
from those offered by banking institutions; and encourages voluntary information sharing between
• Refuse to provide requested due diligence information financial institutions and/or associations of financial
or use methods to get deposits placed before providing institutions.
information.

DSC Risk Management Manual of Examination Policies 8.1-13 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Section 314(a) – Mandatory Information
Sharing Between the U.S. Government and • Deposit account records;
• Funds transfer records;
Financial Institutions
• Sales of monetary instruments (purchaser only);
A Federal law enforcement agency investigating terrorist • Loan records;
activity or money laundering may request that FinCEN • Trust department records;
solicit, on its behalf, certain information from a financial • Securities records (purchases, sales, safekeeping, etc.);
institution or a group of financial institutions on certain • Commodities, options, and derivatives; and
individuals or entities. The law enforcement agency must • Safe deposit box records (but only if searchable
provide a written certification to FinCEN attesting that electronically).
credible evidence of money laundering or terrorist activity
exists. It must also provide specific identifiers such as date According to the general instructions to Section 314(a),
of birth, address, and social security number of the financial institutions are NOT required to research the
individual(s) under investigation that would permit a following documents for matches:
financial institution to differentiate among customers with
common or similar names. • Checks processed through an account for a payee,
• Monetary instruments for a payee,
Section 314(a) Requests • Signature cards, and
• CTRs and SARs previously filed.
Upon receiving an adequate written certification from a
law enforcement agency, FinCEN may require financial The general guidelines specify that the record search need
institutions to perform a search of their records to only encompass current accounts and accounts maintained
determine whether they maintain or have maintained by a named subject during the preceding twelve (12)
accounts for, or have engaged in transactions with, any months, and transactions not linked to an account
specified individual, entity, or organization. This process conducted by a named subject during the preceding six (6)
involves providing a Section 314(a) Request to the months. Any record described above that is not maintained
financial institutions. Such lists are issued to financial in electronic form need only be searched if it is required to
institutions every two weeks by FinCEN. be kept under federal law or regulation.

Each Section 314(a) request has a unique tracking number. Again, if the specific guidelines or the timeframe of
The general instructions for a Section 314(a) Request records to be searched on a Section 314(a) Request differ
require financial institutions to complete a one-time search from the general guidelines, they should be followed to the
of their records and respond to FinCEN, if necessary, extent possible. For example, if a particular Section 314(a)
within two weeks. However, individual requests can have Request asks financial institutions to search their records
different deadline dates. Any specific guidelines on the back eight years, the financial institutions should honor
request supercede the general guidelines. such requests to the extent possible, even though BSA
recordkeeping requirements generally do not require
Designated Point-of-Contact for Section 314(a) Requests records to be retained beyond five years.

All financial institutions shall designate at least one point- Reporting of “Matches”
of-contact for Section 314(a) requests and similar
information requests from FinCEN. FDIC-supervised Financial institutions typically have a two-week window to
financial institutions must promptly notify the FDIC of any complete the one-time search and respond, if necessary to
changes to the point-of-contact, which is reported on each FinCEN. If a financial institution identifies an account or
Call Report. transaction by or on behalf of an individual appearing on a
Section 314(a) Request, it must report back to FinCEN that
Financial Institution Records Required to be Searched it has a “positive match,” unless directed otherwise. When
reporting this information to FinCEN, no additional details,
The records that must be searched for a Section 314(a) unless otherwise instructed, should be provided other than
Request are specified in the request itself. Using the the fact that a “positive match” has been identified. In
identifying information contained in the 314(a) request, situations where a financial institution is unsure of a match,
financial institutions are required to conduct a one-time it may contact the law enforcement agency specified in the
search of the following records, whether or not they are Section 314(a) Request. Negative responses to Section
kept electronically (subject to the limitations below): 314(a) Requests are not required; the financial institution

Bank Secrecy Act (12-04) 8.1-14 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
does not need to respond to FinCEN on a Section 314(a) Financial institutions must protect the security of the
Request if there are no matches to the institution’s records. Section 314(a) Requests, as they are confidential. As
Financial institutions are to be reminded that unless a name stated previously, a financial institution must not tip off a
is repeated on a subsequent Section 314(a) Request, that customer that he/she is the subject of a Section 314(a)
name does not need to be searched again. Request. Similarly, a financial institution cannot disclose
to any person or entity, other than to FinCEN, its primary
The financial institution must not notify a customer that Federal functional regulator, or the Federal law
he/she has been included on a Section 314(a) Request. enforcement agency on whose behalf FinCEN is requesting
Furthermore, the financial institution must not tell the information, the fact that FinCEN has requested or
customer that he/she is under investigation or that he/she is obtained information from a Section 314(a) Request.
suspected of criminal activity.
FinCEN has stated that an affiliated group of financial
Restrictions on Use of Section 314(a) Requests institutions may establish one point-of-contact to distribute
the Section 314(a) Requests for the purpose of responding
A financial institution may only use the information to requests. However, the Section 314(a) Requests should
identified in the records search to report “positive matches” not be shared with foreign affiliates or foreign subsidiaries
to FinCEN and to file, when appropriate, SARs. If the (unless the request specifically states otherwise), and the
financial institution has a “positive match,” account lists cannot be shared with affiliates or subsidiaries of bank
activity with that customer or entity is not prohibited; it is holding companies that are not financial institutions.
acceptable for the financial institution to open new
accounts or maintain current accounts with Section 314(a) Notwithstanding the above restrictions, a financial
Request subjects; the closing of accounts is not required. institution is authorized to share information concerning an
However, the Section 314(a) Requests may be useful as a individual, entity, or organization named in a Section
determining factor for such decisions if the financial 314(a) Request from FinCEN with other financial
institution so chooses. Unlike OFAC lists, Section 314(a) institutions and/or financial institution associations in
Requests are not permanent “watch lists.” In fact, Section accordance with the certification and procedural
314(a) Requests are not updated or corrected if an requirements of Section 314(b) of the USA PATRIOT Act
investigation is dropped, a prosecution is declined, or a discussed below. However, such sharing shall not disclose
subject is exonerated, as they are point-in-time inquiries. the fact that FinCEN has requested information on the
Furthermore, the names provided on Section 314(a) subjects or the fact that they were included within a Section
Requests do not necessarily correspond to convicted or 314(a) Request.
indicted persons; rather, a Section 314(a) Request subject
need only be “reasonably suspected,” based on credible Internal Financial Institution Measures for Protecting
evidence of engaging in terrorist acts or money laundering Section 314(a) Requests
to appear on the list.
In order to protect the confidentiality of the Section 314(a)
SAR Filings Requests, these documents should only be provided to
financial institution personnel who need the information to
If a financial institution has a positive match within its conduct the search and should not be left in an unprotected
records, it is not required to automatically file a SAR on or unsecured area. A financial institution may provide the
the identified subject. In other words, the subject’s Section 314(a) Request to third-party information
presence on the Section 314(a) Request should not be the technology service providers or vendors to
sole factor in determining whether to file a SAR. perform/facilitate the record searches so long as it takes the
However, prudent BSA compliance practices should ensure necessary steps to ensure that the third party appropriately
that the subject’s accounts and transactions be scrutinized safeguards the information. It is important to remember
for suspicious or unusual activity. If, after such a review is that the financial institution remains ultimately responsible
performed, the financial institution’s management has for the performance of the required searches and to protect
determined that the subject’s activity is suspicious, the security and confidentiality of the Section 314(a)
unusual, or inconsistent with the customer’s profile, then Requests.
the timely filing of an SAR would be warranted.
Each financial institution must maintain adequate
Confidentiality of Section 314(a) Requests procedures to protect the security and confidentiality of
requests from FinCEN. The procedures to ensure
confidentiality will be considered adequate if the financial

DSC Risk Management Manual of Examination Policies 8.1-15 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
institution applies procedures similar to those it has
established to comply with Section 501 of the Gramm- • Identifying and, where appropriate, reporting on
Leach-Bliley Act (15 USC 6801) with regard to the money laundering or terrorist activities;
protection of its customers’ non-public personal • Determining whether to establish or maintain an
information. account, or to engage in a transaction; or
• Assisting in the purposes of complying with this
Financial institutions should keep a log of all Section section.
314(a) Requests received and any “positive matches”
identified and reported to FinCEN. Additionally, Annual Certification Requirements
documentation that all required searches were performed is
essential. The financial institution should not need to keep In order to avail itself to the statutory safe harbor
copies of the Section 314(a) Requests, noting the unique protection, a financial institution or financial institution
tracking number will suffice. Some financial institutions association must annually certify with FinCEN stating its
may choose to destroy the Section 314(a) Requests after intent to engage in information sharing with other
searches are performed. If a financial institution chooses similarly-certified entities. It must further state that it has
to keep the Section 314(a) Requests for audit/internal established and will maintain adequate procedures to
review purposes, it should not be criticized for doing so, as protect the security and confidentiality of the information,
long as it appropriately secures them and protects their as if the information were included in one of its own SAR
confidentiality. filings. The annual certification process involves
completing and submitting a “Notice for Purposes of
FinCEN has provided financial institutions with general Subsection 314(b) of the USA PATRIOT Act and 31 CFR
instructions, FAQs, and additional guidance relating to the 103.110.” The notice can be completed and electronically
Section 314(a) Request process. These documents are submitted to FinCEN via their website. Alternatively, the
revised periodically and may be found on FinCEN’s Web notice can be mailed to the following address: FinCEN,
site. P.O. Box 39, Mail Stop 100, Vienna, VA 22183. It is
important to mention that if a financial institution or
Section 314(b) - Voluntary Information financial institution association improperly uses its Section
Sharing 314(b) permissions, its certification can be revoked by
either FinCEN or by its Federal Banking Agency.
Section 314(b) of the USA PATRIOT Act encourages
financial institutions and financial institution associations Failure to follow the Section 314(b) annual certification
(for example, bank trade groups and associations) to share requirements will result in the loss of the financial
information on individuals, entities, organizations, and institution or financial institution association’s statutory
countries suspected of engaging in possible terrorist safe harbor and could result in a violation of privacy laws
activity or money laundering. Section 314(b) limits the or other laws and regulations.
definition of “financial institutions” used within Section
314(a) of USA PATRIOT Act to include only those Verification Requirements
institutions that are required to establish and maintain an
anti-money laundering program; this definition includes, A financial institution must take reasonable steps to verify
but is not limited to, banking entities regulated by the that the other financial institution(s) or financial institution
Federal Banking Agencies. The definition specifically association(s) with which it intends to share information
excludes any institution or class of institutions that FinCEN has also performed the annual certification process
has designated as ineligible to share information. Section discussed above. Such verification can be performed by
314(b) also describes the safe harbor from civil liability reviewing the lists of other 314(b) participants that are
that is provided to financial institutions that appropriately periodically provided by FinCEN. Alternatively, the
share information within the limitations and requirements financial institution or financial institution association can
specified in the regulation. confirm directly with the other party that the certification
process has been completed.
Restrictions on Use of Shared Information
Other Important Requirements and Restrictions
Information shared on a subject from a financial institution
or financial institution association pursuant to Section Section 314(b) requires virtually the same care and
314(b) cannot be used for any purpose other than the safeguarding of sensitive information as Section 314(a),
following: whether the bank is the “provider” or “receiver” of

Bank Secrecy Act (12-04) 8.1-16 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
information. Refer to the discussions provided above and An effective CDD program protects the reputation of the
within “Section 314(a) – Mandatory Information Sharing institution by:
Between the U.S. Government and Financial Institutions”
for detailed guidance on: • Preventing unusual or suspicious transactions in a
timely manner that potentially exposes the institution
• SAR Filings and to financial loss or increased expenses;
• Confidentiality of Section 314(a) Requests (including • Avoiding criminal exposure from individuals who use
the embedded discussion entitled “Internal Financial the institution’s resources and services for illicit
Institution Measures for Protecting Section 314(a) purposes; and
Requests”). • Ensuring compliance with BSA regulations and
adhering to sound and recognized banking practices.
Actions taken pursuant to shared information do not affect
a financial institution’s obligations to comply with all BSA CDD Program Guidance
and OFAC rules and regulations. For example, a financial
institution is still obligated to immediately contact law CDD programs should be tailored to each institution’s
enforcement and its Federal regulatory agency, by BSA/AML risk profile; consequently, the scope of CDD
telephone, when a significant reportable violation requiring programs will vary. While smaller institutions may have
immediate attention (such as one that involves the more frequent and direct contact with customers than their
financing of terrorist activity or is of an ongoing nature) is counterparts in larger institutions, all institutions should
being conducted; thereafter, a timely SAR filing is still adopt and follow an appropriate CDD program.
required.
An effective CDD program should:
FinCEN has provided financial institutions with general
instructions, registration forms, FAQs, and additional • Be commensurate with the institution’s BSA/AML
guidance relating to the Section 314(b) information sharing risk profile, paying particular attention to higher risk
process. These documents are revised periodically and customers,
may be found on FinCEN’s website. • Contain a clear statement of management’s overall
expectations and establish specific staff
responsibilities, and
CUSTOMER DUE DILIGENCE (CDD) • Establish monitoring systems and procedures for
identifying transactions or activities inconsistent with a
The cornerstone of strong BSA/AML programs is the customer’s normal or expected banking activity.
adoption and implementation of comprehensive CDD
policies, procedures, and controls for all customers, Customer Risk
particularly those that present a higher risk for money
laundering and terrorist financing. The concept of CDD As part of an institution’s BSA/AML risk assessment,
incorporates and builds upon the CIP regulatory many institutions evaluate and apply a BSA/AML risk
requirements for identifying and verifying a customer’s rating to its customers. Under this approach, the institution
identity. will obtain information at account opening sufficient to
develop a “customer transaction profile” that incorporates
The goal of a CDD program is to develop and maintain an an understanding of normal and expected activity for the
awareness of the unique financial details of the institution’s customer’s occupation or business operations. While this
customers and the ability to relatively predict the type and practice may not be appropriate for all institutions,
frequency of transactions in which its customers are likely management of all institutions should have a thorough
to engage. In doing so, institutions can better identify, understanding of the money laundering or terrorist
research, and report suspicious activity as required by BSA financing risks of its customer base and develop and
regulations. Although not required by statute or regulation, implement the means to adequately mitigate these risks.
an effective CDD program provides the critical framework
that enables the institution to comply with regulatory Due Diligence for Higher Risk Customers
requirements.
Customers that pose higher money laundering or terrorist
Benefits of an Effective CDD Program financing risks present increased exposure to institutions.
Due diligence for higher risk customers is especially

DSC Risk Management Manual of Examination Policies 8.1-17 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
critical in understanding their anticipated transactions and • Private banking activities;
implementing a suspicious activity monitoring system that • Numbered accounts;
reduces the institution’s reputation, compliance, and • Pouch activities;
transaction risks. Higher risk customers and their • Special use accounts;
transactions should be reviewed more closely at account • Wire transfer activities; and
opening and more frequently throughout the term of the • Electronic banking.
relationship with the institution.
Financial institutions offering these higher risk products
The USA PATRIOT Act requires special due diligence at and services must enhance their AML and CDD
account opening for certain foreign accounts, such as procedures to ensure adequate scrutiny of these activities
foreign correspondent accounts and accounts for senior and the customers conducting them.
foreign political figures. An institution’s CDD program
should include policies, procedures, and controls
Non-Bank Financial Institutions and
reasonably designed to detect and report money laundering
through correspondent accounts and private banking Money Service Businesses
accounts that are established or maintained for non-U.S.
persons. Guidance regarding special due diligence Non-bank financial institutions (NBFIs) are broadly
requirements is provided in the next section entitled defined as institutions that offer financial services.
“Banking Services and Activities with Greater Potential for Traditional financial institutions (“banks” for this
Money Laundering and Enhanced Due Diligence discussion) that maintain account relationships with NBFIs
Procedures.” are exposed to a higher risk for potential money laundering
activities because these entities are less regulated and may
have limited or no documentation on their customers.
Additionally, banks may likewise be exposed to possible
BANKING SERVICES AND ACTIVITIES
OFAC violations for unknowingly engaging in or
WITH GREATER POTENTIAL FOR facilitating prohibited transactions through a NBFI account
MONEY LAUNDERING AND ENHANCED relationship.
DUE DILIGENCE PROCEDURES
NBFIs include, but are not limited to:
Certain financial services and activities are more
vulnerable to being exploited in money laundering and • Casinos or card clubs;
terrorist financing activities. These conduits are often • Securities brokers/dealers; and
utilized because each typically presents an opportunity to • Money Service Businesses (MSBs)
move large amounts of funds embedded within a large o currency dealers or exchangers;
number of similar transactions. Most activities discussed o check cashers;
in this section also offer access to international banking o issuers, sellers, or redeemers of traveler’s
and financial systems. The ability of U.S. financial checks, money orders, or stored value cards;
institutions to conduct the appropriate level of due o money transmitters; and
diligence on customers of foreign banks, offshore and shell o U.S. Post Offices (money orders).
banks, and foreign branches is often severely limited by the
laws and banking practices of other countries. Money Service Businesses

While international AML and Counter-Terrorist Financing As indicated above, MSBs are a subset of NBFIs.
(CTF) standards are improving through efforts of several Regulations for MSBs are included within 31 CFR 103.41.
international groups, U.S. financial institutions will still All MSBs were required to register with FinCEN using
need effective systems in their AML and CTF programs to Form TD F 90-22.55 by December 31, 2001, or within 180
understand the quality of supervision and assess the days after the business begins operations. Thereafter, each
integrity and effectiveness of controls in other countries. MSB must renew its registration every two years.
Higher risk areas discussed in this section include:
MSBs are a major industry, and typically operate as
• Non-bank financial institutions (NBFIs), including independent businesses. Relatively few MSBs are chains
money service businesses (MSBs); that operate in multiple states. MSBs can be sole-purpose
• Foreign correspondent banking relationships; entities but are frequently tied to another business such as a
• Payable-through accounts; liquor store, bar, grocery store, gas station, or other multi-

Bank Secrecy Act (12-04) 8.1-18 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
purpose entity. As a result, many MSBs are frequently
unaware of their legal and regulatory requirements and Exemptions from CTR Filing Requirements
have been historically difficult to detect. A bank may find
it necessary to inform MSB customers about the MSBs are subject to BSA regulations and OFAC sanctions
appropriate MSB regulations and requirements. and, as such, should be filing CTRs, screening customers
for OFAC matches, and filing SARs, as appropriate.
Most legitimate MSBs should not refuse to follow MSBs cannot exempt their customers from CTR filing
regulations once they have been informed of the requirements like banks can, and banks may not exempt
requirements. If they do, the bank should closely MSB customers from CTR filing, unless the “50 Percent
scrutinize the MSBs activities and transactions for possible Rule” applies.
suspicious activity.
The “50 Percent Rule” states that if a MSB derives less
MSBs typically do not establish on-going customer than 50 percent of its gross cash receipts from money
relationships, and this is one of the reasons that MSB service activities, then it can be exempted. If the bank
customers are considered higher risk. Since MSBs do not exempts a MSB customer under the “50 Percent Rule,” it
have continuous relationships with their clients, they should have documentation evidencing the types of
generally do not obtain key due diligence documentation, business conducted, receipt volume, and estimations of
making customer identification and suspicious transaction MSB versus non-MSB activity.
identification more difficult.
Policies and Procedures for Opening and Monitoring
Banks with MSB customers also have a risk in processing NBFI and MSB Relationships
third-party transactions through their payment and other
banking systems. MSB transactions carry an inherent Banks that maintain account relationships with NBFIs or
potential for the facilitation of layering. MSBs can be MSBs should perform greater due diligence for these
conduits for illicit cash and monetary instrument customers given their higher risk profile. Management
transactions, check kiting, concealing the ultimate should implement the following due diligence procedures
beneficiary of the funds, and facilitating the processing of for MSBs:
forged or fraudulent items such as treasury checks, money
orders, traveler’s checks, and personal checks. • Identify all NBFI/MSB accounts;
• Determine that the business has met local licensing
MSB Agents requirements;
• Ascertain if the MSB has registered or re-registered
MSBs that are agents of such commonly known entities as with FinCEN and obtain a copy of the filing or verify
Moneygram or Western Union should be aware of their the filing on FinCEN’s website;
legal requirements. Agents of such money transmitters, • Determine if the MSB has procedures to comply with
unless they offer another type of MSB activity, do NOT BSA regulations and OFAC monitoring;
have to independently register with FinCEN, but are • Establish the types and amounts of
maintained on an agency list by the “actual” MSB (such as currencies/instruments handled, and any additional
Western Union). However, this “actual” MSB is services provided;
responsible for providing general training and information • Note the targeted customer base;
requirements to their agents and for aggregating • Determine if the business sends or receives
transactions on a nationwide basis, as appropriate. international wires and the nature of the activity;
• Determine if the MSB has procedures to monitor and
Check Cashers report suspicious activity; and
• Obtain a copy of the MSBs independent BSA review,
FinCEN defines a check casher as a business that will cash
if available.
checks and/or sell monetary or other instruments over
$1,000 per customer on any given day. If a company, such
Management should document in writing the responses to
as a local mini-market, will cash only personal checks up to
the items above and update MSB customer files at least
$100 per day AND it provides no other financial services
annually. In addition, management should continue to
or instruments (such as money orders or money
monitor these higher risk accounts for suspicious activity.
transmittals), then that company would NOT be considered
The FDIC does not expect the bank to perform an
a check casher for regulatory purposes or have to register
examination of the MSB; however, the bank should take
as an MSB.

DSC Risk Management Manual of Examination Policies 8.1-19 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
reasonable steps to document that MSB customers are termination of the foreign correspondent account. Such
aware of and are complying with appropriate regulations. foreign correspondent relationships need only be
terminated upon the U.S. financial institution’s written
For additional information, examiners should instruct bank receipt of such instruction from either the Secretary of the
management to consult the FinCEN website developed Treasury or the U.S. Attorney General. If the U.S.
specifically for MSBs. This website contains guidance, financial institution fails to terminate relationships after
registration forms, and other materials useful for MSBs to receiving notification, the U.S. institution may face civil
understand and comply with BSA regulations. Bank money penalties.
customers who are uncertain if they are covered by the
definition of MSBs can also visit this site to determine if The Treasury was also granted broad authority by the USA
their business activities qualify. PATRIOT Act (codified in 31 USC 5318[A]), allowing it
to establish special measures. Such special measures can
Foreign Correspondent Banking be established which require U.S. financial institutions to
Relationships perform additional recordkeeping and/or reporting or
require a complete prohibition of accounts and transactions
Correspondent accounts are accounts that financial with certain countries and/or specified foreign financial
institutions maintain with each other to handle transactions institutions. The Treasury may impose such special
for themselves or for their customers. Correspondent measures by regulation or order, in consultation with other
accounts between a foreign bank and U.S. financial regulatory agencies, as appropriate.
institutions are much needed, as they facilitate international
trade and investment. However, these relationships may Shell Banks
pose a higher risk for money laundering.
Sections 313 and 319 of the USA PATRIOT Act
Transactions through foreign correspondent accounts are implemented (by 31 CFR 103.177 and 103.185,
typically large and would permit movement of a high respectively) a new provision of the BSA that relates to
volume of funds relatively quickly. These correspondent foreign correspondent accounts. Covered financial
accounts also provide foreign entities with ready access to institutions (CFI) are prohibited from establishing,
the U.S. financial system. These banks and other financial maintaining, administering, or managing a correspondent
institutions may be located in countries with unknown account in the U.S. for or on behalf of a foreign shell bank.
AML regulations and controls ranging from strong to
weak, corrupt, or nonexistent. A correspondent account, under this regulation, is defined
as an account established by a CFI for a foreign bank to
The USA PATRIOT Act establishes reporting and receive deposits from, to make payments or other
documentation requirements for certain high-risk areas, disbursements on behalf of a foreign financial institution,
including: or to handle other financial transactions related to the
foreign bank. An account is further defined as any formal
• Special due diligence requirements for correspondent banking or business relationship established to provide:
accounts and private banking accounts which are
addressed in 31 CFR 103.181. • Regular services,
• Verification procedures for foreign correspondent • Dealings, and
account relationships which are included in 31 CFR • Other financial transactions,
103.185.
• Foreign banks with correspondent accounts at U.S. and may include:
financial institutions must produce bank records,
including information on ownership, when requested • Demand deposits,
by regulators and law enforcement, as detailed in • Savings deposits,
Section 319 of the USA PATRIOT Act and codified at • Any other transaction or asset account,
31 CFR 103.185. • Credit account, or
• Any other extension of credit.
The foreign correspondent records detailed above are to be
provided within seven days of a law enforcement request A foreign shell bank is defined as a foreign bank without a
and within 120 hours of a Federal regulatory request. physical presence in any country. Physical presence means
Failure to provide such records in a timely manner may a place of business that:
result in the U.S. financial institution’s required

Bank Secrecy Act (12-04) 8.1-20 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Is maintained by a foreign bank; law enforcement can serve a subpoena or other legal
• Is located at a fixed address (other than solely an document upon the foreign correspondent bank.
electronic address or a post-office box) in a country in
which the foreign bank is authorized to conduct Certification Process
banking activities;
• Provides at that fixed address: To facilitate information collection, the Treasury, in
o One or more full-time employees, coordination with the banking industry, Federal regulators
o Operating records related to its banking and law enforcement agencies, developed a certification
activities; and process using special forms to standardize information
• Is subject to inspection by the banking authority that collection. The use of these forms is not required;
licensed the foreign bank to conduct banking however, the information must be collected regardless.
activities. The CFI must update, or re-certify, the foreign
correspondent information at least once every three years.
There is one exception to the shell bank prohibition. This
exception allows a CFI to maintain a correspondent For new accounts, this certification information must be
account with a foreign shell bank if it is a regulated obtained within 30 calendar days after the opening date. If
affiliate. As a regulated affiliate, the shell bank must meet the CFI is unable to obtain the required information, it
the following requirements: must close all correspondent accounts with that foreign
bank within a commercially reasonable time. The CFI
• The shell bank must be affiliated with a depository should review certifications to verify their accuracy. The
institution (bank or credit union, either U.S. or review should look for potential problems that may warrant
foreign) in the U.S. or another foreign jurisdiction. further research or information. Should a CFI know,
• The shell bank must be subject to supervision by the suspect, or have reason to suspect that any certification
banking authority that regulates the affiliated entity. information is no longer correct, the CFI must request the
foreign bank to verify or correct such information within
Furthermore, in any foreign correspondent relationship, the 90 days. If the information is not corrected within that
CFI must take reasonable steps to ensure that such an time, the CFI must close all correspondent accounts with
account is not being used indirectly to provide banking that institution within a commercially reasonable time.
services to other foreign shell banks. If the CFI discovers
that a foreign correspondent account is providing indirect Foreign Correspondent Banking
services in this manner, then it must either prohibit the Money Laundering Risks
indirect services to the foreign shell bank or close down the
foreign correspondent account. This activity is referred to Foreign correspondent accounts provide clearing access to
as “nested” correspondent banking and is discussed in foreign financial institutions and their customers, which
greater detail below under “Foreign Correspondent may include other foreign banks. Many U.S. financial
Banking Money Laundering Risks.” institutions fail to ascertain the extent to which the foreign
banks will allow other foreign banks to use their U.S.
Required Recordkeeping on accounts. Many high-risk foreign financial institutions
Correspondent Banking Accounts have gained access to the U.S. financial system by
operating through U.S. correspondent accounts belonging
As mentioned previously, a CFI that maintains a foreign to other foreign banks. These are commonly referred to as
correspondent account must also maintain records “nested” correspondent banks.
identifying the owners of each foreign bank. To minimize
recordkeeping burdens, ownership information is not Such nested correspondent bank relationships result in the
required for: U.S. financial institution’s inability to identify the ultimate
customer who is passing a transaction through the foreign
• Foreign banks that file form FR-7 with the Federal correspondent’s U.S. account. These nested relationships
Reserve, or may prevent the U.S. financial institution from effectively
• Publicly traded foreign banks. complying with BSA regulations, suspicious activity
reporting, and OFAC monitoring and sanctions.
A CFI must also record the name and street address of a
person who resides in the U.S. and who is willing to accept If a U.S. financial institution’s due diligence or monitoring
service of legal process on behalf of the foreign institution. system identifies the use of such nested accounts, the U.S.
In other words, the CFI must collect information so that

DSC Risk Management Manual of Examination Policies 8.1-21 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
financial institution should do one or more of the agency (such as the Financial Action Task Force
following: [FATF]) as being a primary money laundering
concern; or
• Perform due diligence on the nested users of the • Located in a bank secrecy or money laundering haven.
foreign correspondent account, to determine and verify
critical information including, but not limited to, the Internal financial institution policies should focus
following: compliance efforts on those accounts that represent a
o Ownership information, higher risk of money laundering. U.S. financial institutions
o Service of legal process contact, may use their own risk assessment or incorporate the best
o Country of origin, practices developed by industry and regulatory
o AML policies and procedures, recommendations.
o Shell bank and licensing status,
o Purpose and expected volume and type of Offshore Banks
transactions;
• Restrict business through the foreign correspondent’s An offshore bank is one which does not transact business
accounts to limited transactions and/or purposes; and with the citizens of the country that licenses the bank. For
• Terminate the initial foreign correspondent account example, a bank is licensed as an offshore bank in Spain.
relationship. This institution may do business with anyone in the world
except for the citizens of Spain. Offshore banks are
Necessary Due Diligence on Foreign typically a revenue generator for the host country and may
Correspondent Accounts not be as closely regulated as banks that provide financial
services to the host country’s citizens. The host country
Because of the heightened risk related to foreign may also have lax AML standards, controls, and
correspondent banking, the U.S. financial institution needs enforcement. As such, offshore licenses can be appealing
to assess the money laundering risks associated with each to those wishing to launder illegally obtained funds.
of its correspondent accounts. The U.S. financial
institution should understand the nature of each account The FATF designates Non-Cooperative Countries and
holder’s business and the purpose of the account. In Territories (NCCTs). These countries have been so
addition, the U.S. financial institution should have an designated because they have not applied the
expected volume and type of transaction anticipated for recommended international anti-money laundering
each foreign bank customer. standards and procedures to their financial systems. The
money laundering standards established by FATF are
When a new relationship is established, the U.S. financial known as the Forty Recommendations. Further discussion
institution should assess the management and financial of the Forty Recommendations and NCCTs can be found at
condition of the foreign bank, as well as its AML programs the FATF website.
and the home country’s money laundering regulations and
supervisory oversight. These due diligence measures are in Payable Through Accounts
addition to the minimum regulation requirements.
A payable through account (PTA) is a demand deposit
Each U.S. financial institution maintaining foreign account through which banking agencies located in the
correspondent accounts must establish appropriate, U.S. extend check writing privileges to the customers of
specific, and, where necessary, enhanced due diligence other domestic or foreign institutions. PTAs have long
policies, procedures, and controls as required by 31 CFR been used in the U.S. by credit unions (for example, for
103.181. The U.S. financial institution’s AML policies checking account services) and investment companies (for
and programs should enable it to reasonably detect and example, for checking account services associated with
report instances of money laundering occurring through the money market management accounts) to offer customers
use of foreign correspondent accounts. the full range of banking services that only a commercial
bank has the ability to provide.
The regulations specify that additional due diligence must
be completed if the foreign bank is: International PTA Use

• Operating under an offshore license; Under an international PTA arrangement, a U.S. financial
• Operating under a license granted by a jurisdiction institution, Edge corporation, or the U.S. branch or agency
designated by the Treasury or an intergovernmental of a foreign bank (U.S. banking entity) opens a master

Bank Secrecy Act (12-04) 8.1-22 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
checking account in the name of a foreign bank operating
outside the U.S. The master account is subsequently Risks Associated with Payable Through Accounts
divided by the foreign bank into "sub-accounts" each in the
name of one of the foreign bank's customers. Each sub- The PTA arrangement between a U.S. banking entity and a
account holder becomes a signatory on the foreign bank's foreign bank may be subject to the following risks:
account at the U.S. banking entity and may conduct
banking activities through the account. • Money Laundering risk – the risk of possible illegal or
improper conduct flowing through the PTAs.
Financial institution regulators have become aware of the • OFAC risk – the risk that the U.S. banking entity does
increasing use of international PTAs. These accounts are not know the ultimate PTA customers which could
being marketed by U.S. financial institutions to foreign facilitate the completion of sanctioned or blocked
banks that otherwise would not have the ability to offer transactions.
their customers direct access to the U.S. banking system. • Credit risk - the risk the foreign bank will fail to
While PTAs provide legitimate business benefits, the perform according to the terms and conditions of the
operational aspects of the account make it particularly PTA agreement, either due to bankruptcy or other
vulnerable to abuse as a mechanism to launder money. In financial difficulties.
addition, PTAs present unique safety and soundness risks • Settlement risk - the risk that arises when the U.S.
to banking entities in the U.S. banking entity pays out funds before it can be certain
that it will receive the corresponding deposit from the
Sub-account holders of the PTA master accounts at the foreign bank.
U.S. banking entity may include other foreign banks, rather • Country risk - the risk the foreign bank will be unable
than just individuals or corporate accounts. These second- to fulfill its international obligations due to domestic
tier foreign banks then solicit individuals as customers. strife, revolution, or political disturbances.
This may result in thousands of individuals having • Regulatory risk - the risk that deposit and withdrawal
signatory authority over a single account at a U.S. banking transactions through the PTA may violate State and/or
entity. The PTA mechanism permits the foreign bank Federal laws and regulations.
operating outside the U.S. to offer its customers, the sub-
account holders, U.S. denominated checks and ancillary Unless a U.S. banking entity is able to identify adequately,
services, such as the ability to receive wire transfers to and and understand the transactions of the ultimate users of the
from sub-accounts and to cash checks. Checks are foreign bank's account maintained at the U.S. banking
encoded with the foreign bank's account number along with entity, there is a potential for serious illegal conduct.
a numeric code to identify the sub-account.
Because of the possibility of illicit activities being
Deposits into the U.S. master account may flow through conducted through PTAs at U.S. banking entities, financial
the foreign bank, which pools them for daily transfer to the institution regulators believe it is inconsistent with the
U.S. banking entity. Funds may also flow directly to the principles of safe and sound banking for U.S. banking
U.S. banking entity for credit to the master account, with entities to offer PTA services without developing and
further credit to the sub-account. maintaining policies and procedures designed to guard
against the possible improper or illegal use of PTA
Benefits Associated with Payable Through Accounts facilities.
While the objectives of U.S. financial institutions Policy Recommendations
marketing PTAs and the foreign banks which subscribe to
the PTA service may vary, essentially three benefits Policies and procedures must be fashioned to enable each
currently drive provider and user interest: U.S. banking entity offering PTA services to foreign banks
to:
• PTAs permit U.S. financial institutions to attract dollar
deposits from the home market of foreign banks • Identify sufficiently the ultimate users of its foreign
without jeopardizing the foreign bank's relationship bank PTAs, including obtaining (or having the ability
with its clients. to obtain) substantially the same type of information
• PTAs provide fee income potential for both the U.S. on the ultimate users as the U.S. banking entity obtains
PTA provider and the foreign bank. for its domestic customers.
• Foreign banks can offer their customers efficient and • Review the foreign bank's own procedures for
low-cost access to the U.S. banking system. identifying and monitoring sub-account holders, as

DSC Risk Management Manual of Examination Policies 8.1-23 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
well as the relevant statutory and regulatory customers may be conducting more complex transactions
requirements placed on the foreign bank to identify and using services that facilitate international transactions.
and monitor the transactions of its own customers by Because of these attributes, private banking also appeals to
its home country supervisory authorities. money launderers.
• Monitor account activities conducted in the PTAs with
foreign banks and report suspicious or unusual activity Examiners should evaluate the financial institution
in accordance with Federal regulations. management’s ability to measure and control the risk of
money laundering in the private banking area and
Termination of PTAs determine if adequate AML policies, procedures, and
oversight are in place to ensure compliance with laws and
It is recommended the U.S. banking entity terminate a PTA regulations and adequate identification of suspicious
with a foreign bank as expeditiously as possible in the activities.
following situations:
Policy Recommendations
• Adequate information about the ultimate users of the
PTAs cannot be obtained. At a minimum, the financial institution’s private banking
• The U.S. banking entity cannot adequately rely on the policies and procedures should address:
home country supervisor to require the foreign bank to
identify and monitor the transactions of its own • Acceptance and approval of private banking clients;
customers. • Desired or targeted client base;
• The U.S. banking entity is unable to ensure that its • Products and services that will be offered;
PTAs are not being used for money laundering or • Effective account opening procedures and
other illicit purposes. documentation requirements; and
• The U.S. banking entity identifies ongoing suspicious • Account review upon opening and ongoing thereafter.
and unusual activities dominating the PTA
transactions. In addition, the financial institution must:

Private Banking Activities • Document the identity and source of wealth on all
customers requesting custody or private banking
Private banking has proven to be a profitable operation and services;
is a fast-growing business in U.S. financial institutions. • Understand each customer’s net worth, account needs,
Although the financial service industry does not use a as well as level and type of expected activity;
standard definition for private banking, it is generally held • Verify the source and accuracy of private banking
that private banking services include an array of all- referrals;
inclusive deposit account, lending, investment, trust, and • Verify the origins of the assets or funds when
cash management services offered to high net worth transactions are received from other financial service
customers and their business interests. Not all financial providers;
institutions operate private banking departments, but they • Review employment and business information, income
typically offer special attention to their best customers and levels, financial statements, net worth, and credit
ensure greater privacy concerning the transactions and reports; and
activities of these customers. Smaller institutions may • Monitor the account relationship by:
offer similar services to certain customers while not o Reviewing activity against customer profile
specifically referring to this activity as private banking. expectations,
o Investigating extraordinary transactions,
Confidentiality is a vital element in administering private o Maintaining an administrative file
banking relationships. Although customers may choose documenting the customer’s profile and
private banking services to manage their assets, they may activity levels,
also seek confidential ownership of their assets or a safe, o Maintaining documentation that details
legal haven for their capital. When acting as a fiduciary, personal observations of the customer’s
financial institutions may have statutory, contractual, or business and/or personal life, and
ethical obligations to uphold customer confidentiality. o Ensuring that account reviews are completed
periodically by someone other than the
Typically, a private banking department will service a private banking officer.
financial institution’s wealthy foreign customers, as these

Bank Secrecy Act (12-04) 8.1-24 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Financial institutions should ensure, through independent • Documentation showing the source of funds; and
review, that private banking account officers have adequate • Enhanced scrutiny of accounts and transactions of
documentation for accepting new private banking account senior foreign political figures, also known as
funds and are performing the responsibilities detailed “politically exposed persons” (PEPs).
above.
Identity Verification
Enhanced Due Diligence for Non-U.S. Persons
Maintaining Private Banking Accounts The financial institution is expected to take reasonable
steps to verify the identity of both the nominal and the
Section 312 of the USA PATRIOT Act, implemented by beneficial owners of private banking accounts. Often,
31 CFR 103.181, requires U.S. financial institutions that private banking departments maintain customer
maintain private banking accounts for non-U.S. persons to information in a central confidential file or use code names
establish enhanced due diligence policies, procedures, and in order to protect the customer’s privacy. Because of the
controls that are designed to detect and report money nature of the account relationship with the bank liaison and
laundering. the focus on a customer’s privacy, customer profile
information has not always been well documented.
Private banking accounts subject to requirements under
Section 312 of the USA PATRIOT Act include: Other methods used to maintain customer privacy include:

• Accounts, or any combination of accounts with a • Private Investment Corporation (PIC),

minimum deposit of funds or other assets of at least $1 • Offshore Trusts, and
million; • Token Name Accounts.
• Accounts established for one or more individuals
(beneficial owners) that are neither U.S. citizens, nor PICs are established to hold a customer’s personal assets in
lawful permanent residents of the U.S.; or a separate legal entity. PICs offer confidentiality of
• Accounts assigned to or managed by an officer, ownership, hold assets centrally, and provide
employee, or agent of a financial institution acting as a intermediaries between private banking customers and the
liaison between the financial institution and the direct potential beneficiaries of the PICs or trusts. A PIC may
or beneficial owner of the account. also be a trust asset. PICs are incorporated frequently in
countries that impose low or no taxes on company assets
Regulations for private banking accounts specify that and operations, or are bank secrecy havens. They are
enhanced due diligence procedures and controls should be sometimes established by the financial institution for
established where appropriate and necessary with respect customers through their international affiliates – some high
to the applicable accounts and relationships. The financial profile or political customers have a legitimate need for a
institution must be able to show it is able to reasonably higher degree of financial privacy. However, financial
detect suspicious and reportable money laundering institutions should exercise extra care when dealing with
transactions and activities. beneficial owners of PICs and associated trusts because
they can be misused to conceal illegal activities. Since
A due diligence program is considered reasonable if it PICs issue bearer shares, anonymous relationships in which
focuses compliance efforts on those accounts that represent the financial institution does not know and document the
a high risk of money laundering. Private banking accounts beneficial owner should not be permitted.
of foreign customers inherently indicate higher risk than
many U.S. accounts; however, it is incumbent upon the Offshore trusts can operate similarly to PICs and can even
financial institution to establish a reasonable level of include PICs as assets. Beneficial owners may be
monitoring and review relative to the risk of the account numerous; regardless, the financial institution must have
and/or department. records demonstrating reasonable knowledge and due
diligence of beneficiary identities. Offshore trusts should
A financial institution may use its own risk assessment or identify grantors of the trusts and sources of the grantors’
incorporate industry best practices into its due diligence wealth.
program. Specific due diligence procedures required by
Section 312 of USA PATRIOT Act include: Furthermore, OFAC screening may be difficult or
impossible when transactions are conducted through PICs,
• Verification of the identity of the nominal and offshore trusts, or token name accounts that shield true
beneficial owners of an account; identities. Management must ensure that accounts

DSC Risk Management Manual of Examination Policies 8.1-25 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
maintained in a name other than that of the beneficial • Transactions exceed reasonable amounts in relation to
owner are subject to the same level of filtering for OFAC the PEP’s known net worth.
as other accounts. That is, the OFAC screening process • Transactions are large in relation to the PEP’s home
must include the account’s beneficial ownership as well as country financial condition.
the official account name. • PEP’s home country is economically depressed, yet
the PEP’s home country transactions funding the
Documentation of Source of Funds account remain high.
• Customer refuses to disclose the nominal or beneficial
Documentation of the source of funds deposited into a owner of the account or provides false or misleading
private banking account is also required by Section 312 of information.
the USA PATRIOT Act. Customers will frequently • Net worth and/or source of funds for the PEP are
transfer large sums in single transactions and the financial unidentified.
institution must document initial and ongoing monetary
flows in order to effectively identify and report suspicious Additional discussion of due diligence procedures for these
activity. Understanding how high net worth customers’ accounts can be found in interagency guidance issued in
cash flows, operational income, and expenses flow through FDIC FIL-6-2001, dated in January 2001, “Guidance on
a private banking relationship is an integral part of Enhanced Scrutiny for Transactions That May Involve the
understanding the customer’s wealth picture. Due Proceeds of Foreign Official Corruption.”
diligence will often necessitate that the financial institution
thoroughly investigate the customer’s expected Fiduciary and Custody Services within the
transactions. Private Banking Department

Enhanced Scrutiny of Politically Exposed Persons Although fiduciary and agency activities are circumscribed
by formal trust laws, private banking clients may delegate
Enhanced scrutiny of accounts and transactions involving varying degrees of authority (discretionary versus
senior foreign political figures, their families and nondiscretionary) over assets under management to the
associates is required by law in order to guard against financial institution. In all cases, the terms under which the
laundering the proceeds of foreign corruption. assets are managed are fully described in a formal
agreement, also known as the “governing instrument”
Illegal activities related to foreign corruption were brought between the customer and the financial institution.
under the definition of money laundering by Section 315 of
USA PATRIOT Act. Abuses and corruption by political Even though the level of authority may encompass a wide
officials not only negatively impacts their home country’s range of products and services, examiners should
finances, but can also undermine international government determine the level of discretionary authority delegated to
and working group efforts against money laundering. A private banking department personnel in the management
financial institution doing business with corrupt PEPs can of these activities and the documentation required from
be exposed to significant reputational risk, which could customers to execute transactions on their behalf. Private
result in adverse financial impact through news articles, banking department personnel should not be able to
loss of customers, and even civil money penalties (CMPs). execute transactions on behalf of their clients without
Furthermore, a financial institution, its directors, officers, proper documentation from clients or independent
and employees can be exposed to criminal charges if they verification of client instructions.
did know or should have known (willful blindness) that
funds stemmed from corruption or serious crimes. Concerning investments, fiduciaries are also required to
exercise prudent investment standards, so the financial
As such, PEP accounts can present a higher risk. institution must ensure that if it is co-trustee or under
Enhanced scrutiny is appropriate in the following direction of the customer who retains investment
situations: discretion, that the investments meet prudent standards and
are in the best interest of the beneficiaries of the trust
• Customer asserts a need to have the foreign political accounts.
figure or related persons remain secret.
• Transactions are requested to be performed that are Trust agreements may also be structured to permit the
not expected given the customer’s account profile. grantor/customer to continue to add to the corpus of the
• Amounts and transactions do not make sense in trust account. This provides another avenue to place funds
relation to the PEP’s known income sources and uses.

Bank Secrecy Act (12-04) 8.1-26 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
into the banking system and may be used by money must be provided to employees reviewing transactions for
launderers for that purpose. suspicious activity.

Investment management services have many similar If the financial institution chooses to use numbered
characteristics to trust accounts. The accounts may be accounts, they must ensure that proper procedures are in
discretionary or nondiscretionary. Transactions from place. Here are some minimum standards for numbered or
clients through a private banking department relationship pseudonym accounts:
manager should be properly documented and able to be
independently verified. The portfolio manager should also • The BSA Officer should ensure that all required CIP
document the investment objectives. information is obtained and well documented. The
documentation should be readily available to
Custodial services offered to private banking customers regulators upon request.
include securities safekeeping, receipts and disbursements • Management should ensure that adequate suspicious
of dividends and interest, recordkeeping, and accounting. activity review procedures are in place. These
Custody relationships can be established in many ways, accounts are considered to be high risk, and, as such,
including referrals from other departments in the financial should have enhanced scrutiny. In order to properly
institution or from outside investment advisors. The monitor for unusual or suspicious activities, the
customer, or designated financial advisor, retains full person(s) responsible for monitoring these accounts
control of the investment management of the property must have the identity of the customer revealed to
subject to the custodianship. Sales and purchases of assets them. All transactions for these accounts should be
are made by instruction from the customer, and cash reviewed at least once a month or more frequently.
disbursements are prearranged or as instructed, again by • The financial institution’s system for performing
the customer. In this case, it is important for the financial OFAC reviews, Section 314(a) Requests, or any other
institution to know the customer. Procedures for proper inquiries on its customer databases, must be able to
administration should be established and reviewed check the actual names and relevant information of
frequently. these individuals. Typically the software will screen
just the account name on the trial balance.
Numbered Accounts Consequently, if the name is not on the trial balance,
then it could be overlooked in this process.
A numbered account, also known as a pseudonym account, Management should thoroughly document how it will
is opened not under an individual or corporate name, but handle such situations, as well as each review that is
under an assigned number or pseudonym. These types of performed.
numbered accounts are typically services offered in the
private banking department or the trust department, but Examiners should include the fact that the financial
they can be offered anywhere in the institution. institution’s policy allows for numbered accounts on the
“Confidential – Supervisory Section” page of the Report of
Numbered accounts present some distinct customer Examination. Given the high risk nature of this account
advantages when it comes to privacy. First, all of the type, examiners should review them at every examination
computerized information is recorded using the number or to ensure that management is adequately handling these
pseudonym, not the customer’s real name. This means that accounts.
tellers, wire personnel, and various employees do not know
the true identity of the customer. Furthermore, it protects Pouch Activities
the customer against identity theft. If electronic financial
records are stolen, the number or pseudonym will not Pouch activities involve the use of a common carrier to
provide personal information. Statements and any transport currency, monetary instruments, and other
documentation would simply show the number, not the documents usually from outside the U.S. to a domestic
customer’s true name or social security number. bank account. Pouches can originate from an individual or
another financial institution and can contain any kind of
However, numbered accounts offered by U.S. financial document, including all forms of bank transactions such as
institutions must still meet the requirements of the BSA demand deposits and loan payments. The contents of the
and specific customer identification and minimum due pouch are not always subject to search while in transport,
diligence documentation should be obtained. Account and considerable reliance is placed on the financial
opening personnel must adequately document the customer institution’s internal control systems designed to account
due diligence performed, and access to this information

DSC Risk Management Manual of Examination Policies 8.1-27 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
for the contents and their transfer into the institution’s
accounts. Special Use Accounts
Vulnerabilities in pouch systems can be exploited by those Special use accounts are in-house accounts established to
looking for an avenue to move illegally-gained funds into handle the processing of multiple customer transactions
the U.S. Law enforcement has uncovered money within the financial institution. These accounts are also
laundering schemes where pouches were used to transfer: known as concentration accounts, omnibus, or suspense
accounts and serve as settlement accounts. They are used
• Bulk currency, both U.S. and foreign, and in many areas of a financial institution, including private
• Sequentially numbered monetary instruments, such as banking departments and in the wire transfer function.
traveler’s checks and money orders. They present heightened money laundering risks because
controls may be lax and an audit trail of customer
Once these illegal funds are deposited into the U.S. information may not be easy to follow since transactions do
financial institution, they can be moved – typically through not always maintain the customer identifying information
use of a wire transfer – anywhere in the world. As such, with the transaction amount. In addition, many financial
pouches are used by those looking to legitimize proceeds institution employees may have access to the account and
and obscure the true source of the funds. have the ability to make numerous entries into and out of
the account. Balancing of the special use account is also
Financial institutions establish pouch activities primarily to not always the responsibility of one individual, although
provide a service. The risks associated with a night deposit items posted in the account are usually expected to be
drop box (one example of pouch activity) are very different processed or resolved and settled in one day.
from financial institutions that provide document and
currency transport from their international offices to Financial institutions that use special use accounts should
banking offices in the U.S. implement risk-based procedures and controls covering
access to and operation of these accounts. Procedures and
A prime benefit of having pouch services is the speed with controls should ensure that the audit trail provides for
which international transactions can be placed in the U.S. association of the identity of transactor, customer and/or
domestic banking system by avoiding clearing a transaction direct or beneficial owner with the actual movement of the
through several international banks in order to move the funds. As such, financial institutions must maintain
funds into the U.S. This benefit is particularly complete records of all customer transactions passing
advantageous for customers in countries that do not do through these special use accounts. At a minimum, such
direct business with the U.S., including those countries records should contain the following information:
that:
• Customer name,
• May require little or no customer identification, • Customer address,
• Are well-known secrecy havens, or • Account number,
• Are considered NCCTs. • Dollar value of the transaction, and
• Dates the account was affected.
Examination Guidance
Wire Transfer Activities
Examiners should ascertain if a financial institution offers
pouch services. If it does provide these services, The established wire transfer systems permit quick
examiners must verify that all pouch activity is included in movement of funds throughout the U.S. banking system
AML programs and is thoroughly monitored for suspicious and internationally. Wire transfers are commonly used to
activity. move funds in various money laundering schemes.
Successive wire transfers allow the originator and the
Examiners are strongly encouraged to be present during ultimate beneficiary of the funds to:
one or more pouch openings during the examination. By
reviewing the procedures for opening and documenting
• Obtain relative anonymity,
items in the pouches, along with records maintained of
• Obfuscate the money trail,
pouch activities, examiners should be able to ascertain or
• Easily aggregate funds from a large geographic area,
confirm the degree of risk undertaken and the sufficiency
of AML program in relation to the institution’s pouch • Move funds out of or into the U.S., and
activity. • “Legitimize” illegal proceeds.

Bank Secrecy Act (12-04) 8.1-28 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1

Financial institutions use two wire transfer systems in the Familiarity with the customer and type of business enables
U.S., the Fedwire and the Clearing House Interbank the financial institution to more accurately analyze
Payments System (CHIPS). A telecommunications transactions and thereby identify unusual wire transfer
network, the Society for Worldwide Interbank Financial activity. With appropriate CDD policies and procedures,
Telecommunications (SWIFT), is often used to send financial institutions should have some expectation of the
messages with international wire transfers. type and volume of activity in accounts, especially if the
account belongs to a high-risk entity or the customer uses
Fedwire transactions are governed by the Uniform higher-risk products or services. Consideration should be
Commercial Code Article 4a and the Federal Reserve given to the following items in arriving at this expectation:
Board’s Regulation J. These laws primarily facilitate
business conduct for electronic funds transfers; however, • Type and size of business;
financial institutions must ensure they are using procedures • Customer’s stated explanation for activity;
for identification and reporting of suspicious and unusual • Historical customer activity; and
transactions. • Activity of other customers in the same line of
business.
Wire Transfer Money Laundering Risks
Wire Transfer Recordkeeping Requirements
Although wire systems are used in many legitimate ways,
most money launderers use wire transfers to aggregate BSA recordkeeping rules require the retention of certain
funds from different sources and move them through information for funds transfers and the transmittal of funds.
accounts at different banks until their origin cannot be Basic recordkeeping requirements are established in 31
traced. Money laundering schemes uncovered by law CFR 103.33 and require the maintenance of the following
enforcement agencies show that money launderers records on all wire transfers originated over $3,000:
aggregate funds from multiple accounts at the same
financial institution, wire those funds to accounts held at • Name and address of the originator,
other U.S. financial institutions, consolidate funds from • Amount of the payment order,
these larger accounts, and ultimately wire the funds to • Execution date of the payment order,
offshore accounts in countries where laws are designed to • Payment instructions received from the originator,
facilitate secrecy. In some cases the monies are then sent
• Identity of the beneficiary’s financial institution, and
back into the U.S. with the appearance of being legitimate
• As many of the following items that are received with
funds.
the transfer order:
o Name and address of the beneficiary,
It can be challenging for financial institutions to identify
o Account number of the beneficiary, and
suspicious transactions due to the:
o Any other specific identifier of the beneficiary.
• Large number of wire transactions that occur in any
In addition, as either an intermediary bank or a beneficiary
given day;
bank, the financial institution must retain a complete record
• Size of wire transactions; of the payment order. Furthermore, the $3,000 minimum
• Speed at which transactions move and settle; and limit for retention of this information does not mean that
• Weaknesses in identifying the customers (originators wire transfers under this amount should not be reviewed or
and/or beneficiaries) of such transactions at the monitored for unusual activity.
sending or receiving banks.
Funds Transfer Record Keeping and
A money launderer will often try to make wire transfers Travel Rule Regulations
appear to be for a legitimate purpose, or may use “shell
companies” (corporations that exist only on paper, similar Along with the BSA recordkeeping rules, the Funds
to shell banks discussed above in the section entitled Transfer Recordkeeping and Travel Rule Regulations
“Foreign Correspondent Banking Relationships”), often became effective in May of 1996. The regulations call for
chartered in another country. Money launderers usually standard recordkeeping requirements to ensure all
look for legitimate businesses with high cash sales and high institutions are obtaining and maintaining the same
turnover to serve as a front company. information on all wire transfers of $3,000 or more. Like
the BSA recordkeeping requirements, these additional
Mitigation of Wire Transfer Money Laundering Risks recordkeeping requirements were put in place to create a

DSC Risk Management Manual of Examination Policies 8.1-29 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
paper trail for law enforcement to investigate money
laundering schemes and other illegal activities. Electronic banking (E-Banking) consists of electronic
access (through direct personal computer connection, the
Industry best practices dictate that domestic institutions Internet, or other means) to financial institution services,
should encourage all foreign countries to attach the identity such as opening deposit accounts, applying for loans, and
of the originator to wire information as it travels to the U.S. conducting transactions. E-banking risks are not as
and to other countries. Furthermore, the financial significant at financial institutions that have a stand-alone
institution sending or receiving the wire cannot ensure “information only” website with no transactional or
adequate OFAC verification if they do not have all of the application capabilities. Many financial institutions offer a
appropriate originator and beneficiary information on wire variety of E-banking services and it is very common to
transfers. obtain a credit card, car loan, or mortgage loan on the
Internet without ever meeting face-to-face with a financial
Necessary Due Diligence on Wire Transfer Customers institution representative.

To comply with these standards and regulations, a financial The financial institution should have established policies
institution needs to know its customers. The ability to and procedures for authenticating new customers obtained
trace funds and identify suspicious and unusual through E-banking channels. Customer identification
transactions hinges on retaining information and a strong policies and procedures should meet the minimum
knowledge of the customer developed through requirements of the USA PATRIOT Act and be sufficient
comprehensive CDD procedures. Financial institution to cover the additional risks related to customers opening
personnel must know the identity and business of the accounts electronically. New account applications
customer on whose behalf wire transfers are sent and submitted over the Internet increase the difficulty of
received. Wire room personnel must be trained to identify verifying the application information. Many financial
suspicious or unusual wire activities and have a strong institutions choose to require the prospective customer to
understanding of the bank’s OFAC monitoring and come into an office or branch to complete the account
reporting procedures. opening process, while others will not. If a financial
institution completes the entire application process over the
Review and monitoring activity should also take place Internet, it should consider using third-party databases or
subsequent to sending or receiving wires to further aid in vendors to provide:
identification of suspicious transactions. Reviewers should
look for: • Positive verification, which ensures that material
information provided by an applicant matches
• Unusual wire transfer activity patterns; information from third-party sources;
• Transfers to and from high-risk countries; or • Negative verification, which ensures that information
• Any of the “red flags” relating to wire transfers (refer provided is not linked to previous fraudulent activity;
to the “Identification of Suspicious Transactions” and
discussion included within this chapter.) • Logical verification, which ensures that the
information is logically consistent.
Risks Associated with Wire Transfers Sent with “Pay
Upon Proper Identification” Instructions In addition to initial verification, a financial institution
must also authenticate the customer’s identity each time an
Financial institutions should also be particularly cautious attempt is made to access his/her private information or to
of wire transfers sent or received with “Pay Upon Proper conduct a transaction over the Internet. The authentication
Identification” (PUPID) instructions. PUPID transactions methods involve confirming one or more of these three
allow the wire transfer originator to send funds to a factors:
financial institution location where an individual or
business does not have an account relationship. Since the • Information only the user should know, such as a
funds receiver does not have an account at the financial password or personal identification number (PIN);
institution, he/she must show prior identification to pick up • An object the user possesses, such as an automatic
the funds, hence the term PUPID. These transactions can teller machine (ATM) card, smart card, or token; or
be legitimate, but pose a higher than normal money • Something physical of the user, such as a biometric
laundering risk. characteristic like a fingerprint or iris pattern.

Electronic Banking

Bank Secrecy Act (12-04) 8.1-30 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Automated Clearing House Transactions and Minimum Requirements of the
Electronic Initiation Systems BSA Compliance Program
Additionally, the National Automated Clearing House
The BSA compliance program must be in writing and
Association (NACHA) has provided standards which
approved by the financial institution’s board of directors,
mandate the use of security measures for automated
with approval noted in the Board minutes. Best practices
clearing house (ACH) transactions initiated through the
dictate that Board should review and approve the policy
Internet or electronically. These guidelines include
annually. In addition, financial institutions are required to
ensuring secure access to the electronic and Internet
develop and implement a Customer Identification Program
systems in conjunction with procedures reasonably
as part of their overall BSA compliance program. More
designed to identify the ACH originator.
specific guidance regarding the CIP program requirements
can be found within the “Customer Identification Program”
Interagency guidance on authenticating users of technology
discussion within this section of the DSC Risk
and the identity of customers is further discussed in FDIC
Management Manual of Examination Policies (DSC
FIL-69-2001, “Authentication in an Electronic
Manual).
Environment.” This FIL not only identifies the risk of
access to systems and information, it also emphasizes the
A financial institution’s BSA compliance program must
need to verify the identity of electronic and/or Internet
meet four minimum requirements, as detailed in Section
customers, particularly those who request account opening
326.8 of the FDIC’s Rules and Regulations. The
and new services online.
procedures necessary to establish an adequate program and
assure reasonable compliance efforts designed to meet
these minimum requirements are discussed in detail below:
MONITORING BANK SECRECY ACT
COMPLIANCE 1. A system of internal controls. At a minimum, the
system must be designed to:
Section 8(s) of the Federal Deposit Insurance Act, which
implements 12 U.S.C. 1818, requires the FDIC to: a. Identify reportable transactions at a point where
all of the information necessary to properly
• Develop regulations that require insured financial complete the required reporting forms can be
institutions to establish and maintain procedures obtained. The financial institution might
reasonably designed to assure and monitor compliance accomplish this by sufficiently training tellers and
with the BSA; personnel in other departments or by referring
• Review such procedures during examinations; and large currency transactions to a designated
• Describe any problem with the procedures maintained individual or department. If all pertinent
by the insured depository institution within reports of information cannot be obtained from the
examination. customer, the financial institution should consider
declining the transaction.
To satisfy Section 8(s) requirements, at a minimum, b. Monitor, identify, and report possible money
examiners must review BSA at each regular safety and laundering or unusual and suspicious activity.
soundness examination. In addition, the FDIC must Procedures should provide that high-risk
conduct its own BSA examination at any intervening accounts, services, and transactions are regularly
Safety and Soundness examination conducted by a State reviewed for suspicious activity.
banking authority if such authority does not review for c. Ensure that all required reports are completed
compliance with the BSA. Section 326.8 of the FDIC’s accurately and properly filed within required
Rules and Regulations establishes the minimum BSA timeframes. Financial institutions should consider
program requirements for all state nonmember banks, centralizing the review and report filing functions
which are necessary to assure compliance with the financial within the banking organization.
recordkeeping and reporting requirements set forth within d. Ensure that customer exemptions are properly
the provisions of the Treasury regulation 31 CFR 103. granted, recorded, and reviewed as appropriate,
including biennial renewals of “Phase II”
Part 326.8 of the FDIC’s Rules and exemptions. Exempt accounts must be reviewed
at least annually to ensure that the exemptions are
Regulations still valid and to determine if any suspicious or
unusual activity is occurring in the account. The

DSC Risk Management Manual of Examination Policies 8.1-31 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
BSA compliance officer should review and initial activities. Although not required by the regulation,
all exemptions prior to granting and renewing this review should be conducted at least annually.
them. Financial institutions that do not employ outside
e. Ensure that all information sharing requests issued auditors or consultants or that do not operate internal
under Section 314(a) of the USA PATRIOT Act audit departments can comply with this requirement by
are checked in accordance with FinCEN utilizing employees who are not involved in the
guidelines and are fully completed within currency transaction reporting or suspicious activity
mandated time constraints. reporting functions to conduct the reviews. The BSA
f. Ensure that guidelines are established for the compliance officer, even if he/she does not participate
optional providing and sharing of information in in the daily BSA monitoring and reporting of BSA,
accordance with 314(b) of the USA PATRIOT can never suffice for an independent review.
Act and the written employment verification
regulations (as specified in Section 355 of the The scope of the independent testing should be
USA PATRIOT Act). sufficient to verify compliance with the financial
g. Ensure that the financial institution’s CIP institution’s anti-money laundering program.
procedures comply with regulatory requirements. Additionally, all findings from the audit should be
h. Ensure that procedures provide for adequate provided within a written report and promptly reported
customer due diligence in relation to the risk to the board of directors or appropriate committee
levels of customers and account types. Adequate thereof. Testing for compliance should include, at a
monitoring for unusual or suspicious activities minimum:
cannot be completed without a strong CDD
program. The CDD program should assist a. A test of the financial institution’s internal
management in predicting the types, dollar procedures for monitoring compliance with the
volume, and transaction volume the customer is BSA, including interviews of employees who
likely to conduct, thereby providing a means to handle cash transactions and their supervisors.
identify unusual or suspicious transactions for that The scope should include all business lines,
customer. departments, branches, and a sufficient sampling
i. Establish procedures for screening accounts and of locations, including overseas offices.
transactions for OFAC compliance that include b. A sampling of large currency transactions,
guidelines for responding to identified matches followed by a review of CTR filings.
and reporting those to OFAC. c. A test of the validity and reasonableness of the
j. Provide for adequate due diligence, monitoring, customer exemptions granted by the financial
and reporting of private banking activities and institution.
foreign correspondent relationships. The level of d. A test of procedures for identifying suspicious
due diligence and monitoring must be transactions and the filing of SARs. Such
commensurate with the inherent account risk. procedures should incorporate a review of reports
k. Provide for adequate supervision of employees used by management to identify unusual or
who accept currency transactions, complete suspicious activities.
reports, grant exemptions, open new customer e. A review of documentation on transactions that
accounts, or engage in any other activity covered management initially identified as unusual or
by the Financial Recordkeeping and Reporting of suspicious, but, after research, determined that
Currency and Foreign Transactions regulations at SAR filings were not warranted.
31 CFR 103. f. A test of procedures and information systems to
l. Establish dual controls and provide for separation review compliance with the OFAC regulations.
of duties. Employees who complete the reporting Such a test should include a review of the
forms should not be responsible for filing them or frequency of receipt of OFAC updates and
for granting customer exemptions. interviews to determine personnel knowledge of
OFAC procedures.
2. Independent testing for compliance with the BSA and g. A test of the adequacy of the CDD program and
Treasury’s regulation 31 CFR Part 103. Independent the CIP. Testing procedures should ensure that
testing of the BSA compliance program should be established CIP standards are appropriate for the
conducted by the internal audit department, outside various account types, business lines, and
auditors, or qualified consultants. Testing must departments. New accounts from various areas in
include procedures related to high-risk accounts and the financial institution should be sampled to

Bank Secrecy Act (12-04) 8.1-32 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
ensure that CDD and CIP efforts meet policy comprehensive, conducted regularly, and clearly
requirements. documented. The scope of the training should include:
h. A review of management reporting of BSA-
related activities and compliance efforts. Such a • The financial institution’s BSA policies and
review should determine that reports provide procedures;
necessary information for adequate BSA • Identification of the three stages of money
monitoring and that they capture the universe of laundering (placement, layering, and integration);
transactions for that reporting area. (For example, • “Red flags” to assist in the identification of money
the incoming wire transfer logs should contain all laundering (similar to those provided within the
the incoming transfers for the time period being “Identification of Suspicious Transactions”
reviewed). discussion within this chapter);
i. A test of the financial institution’s recordkeeping • Identification and examples of suspicious
system for compliance with the BSA. transactions;
j. Documentation of the scope of the testing • The purpose and importance of a strong CDD
procedures performed and the findings of the program and CIP requirements;
testing. • Internal procedures for CTR and SAR filings;
• Procedures for reporting BSA matters, including
Independent Testing Workpaper Retention SAR filings to senior management and the board
of directors;
Retention of workpapers from the independent testing or
• Procedures for conveying any new BSA rules,
audit of BSA is expected and those workpapers must be
regulations, or internal policy changes to all
made available to examiners for review upon request. It is
appropriate personnel in a timely manner; and
essential that the scope and findings from any testing
• OFAC policies and procedures.
procedures be thoroughly documented. Procedures that are
not adequately documented will not be accepted as being in
Depending on the financial institution’s needs, training
compliance with the independent testing requirement.
materials can be purchased from banking associations,
trade groups, and outside vendors, or they can be internally
3. The designation of an individual or individuals
developed by the financial institution itself. Copies of the
responsible for coordinating and monitoring day-to-
training materials must be available in the financial
day compliance with BSA. To meet the minimum
institution for review by examiners.
requirement, each financial institution must designate
a senior official within the organization to be
responsible for overall BSA compliance. Other
individuals in each office, department or regional BSA VIOLATIONS AND ENFORCEMENT
headquarters should be given the responsibility for
day-to-day compliance. The senior official in charge Procedures for Citing Apparent Violations in
of BSA compliance should be in a position, and have the Report of Examination
the authority, to make and enforce policies. This is
not intended to require that the BSA administrator be Apparent Violations of the U.S. Department of the
an “executive officer” under the Federal Reserve Treasury’s regulation 31 CFR 103 - Financial
Board’s Regulation O. Recordkeeping and Reporting of Currency and Foreign
Transactions
4. Training for appropriate personnel. At a minimum,
the financial institution’s training program must As stated previously, Treasury’s regulation 31 CFR 103
provide training for all operational personnel whose establishes the minimum recordkeeping and reporting
duties may require knowledge of the BSA, including, requirements for currency and foreign transactions by
but not limited to, tellers, new accounts personnel, financial institutions. Failure to comply with the
lending personnel, bookkeeping personnel, wire room requirements of 31 CFR 103 may result in the examiner
personnel, international department personnel, and citing an apparent violation(s). Apparent violations of 31
information technology personnel. In addition, an CFR 103 are generally for specific issues such as:
overview of the BSA requirements should be given to
new employees and efforts should be made to keep • Failure to adequately identify and report large cash
executives and directors informed of changes and new transactions in a timely manner;
developments in BSA regulations.Training should be

DSC Risk Management Manual of Examination Policies 8.1-33 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Failure to report Suspicious Activities, such as deposit bank management with a separate list so that they can
layering or structuring cash transactions; identify and, if possible, correct the particular violation. A
• Failure to reasonably identify and verify customer copy of the list must also be maintained in the BSA
identity; and examination workpapers.
• Failure to maintain adequate documentation of
financial transactions, such as the purchase or sale of Additionally, deficient practices may violate more than one
monetary instruments and originating or receiving wire regulation. In such circumstances, the apparent violations
transfers. can be grouped together. However, all of the sections of
each violated regulation must be cited. Each apparent
All apparent violations of the BSA should be reported in violation must be recorded on the BSA Data Entry sheet
the Violations of Laws and Regulations pages of the and submitted with the Report of Examination for review
Report of Examination. When preparing written and transmittal.
comments related to apparent violations cited as a result of
deficient BSA compliance practices, the following Apparent Violations of Section 326.8 of the FDIC Rules
information should be included in each citation: and Regulations

• Reference to the appropriate section of the regulation; In situations where deficiencies in the BSA compliance
• Nature of the apparent violation; program are serious or systemic in nature, or apparent
• Date(s) and amount of the transaction(s); violations result from management’s inability or
• Name(s) of the parties to the transaction; unwillingness to develop and administer an effective BSA
compliance program, examiners should cite an apparent
• Description of the transaction; and
violation(s) of the appropriate subsection(s) of Section
• Management’s response, including planned or taken
326.8, within the Report of Examination. Additionally,
corrective action.
apparent violations of 31 CFR 103 that are repeated at two
or more examinations, or dissimilar apparent violations
In preparing written comments for apparent violations of
that are recurring over several examinations, may also
the BSA, examiners should focus solely on statements of
point towards a seriously deficient compliance program.
fact, and take precautions to ensure that subjective
When such deficiencies persist within the financial
comments are omitted. Such statements would include an
institution, it may be appropriate for examiners to consider
examiner attributing the infraction to a cause, such as
the overall program to be deficient and cite an apparent
management oversight or computer error. For all
violation of Section 326.8.
violations of 31 CFR 103, the Treasury reserves the
authority to determine if civil penalties should be pursued.
Specifically, an apparent violation of Section 326.8(b)(1)
Examiner comments on the supposed causes of apparent
should be cited when the weaknesses and deficiencies
violations may affect the Treasury’s ability to pursue a
identified in the BSA compliance program are significant,
case.
repeated, or pervasive. Citing a Section 326.8(b)(1)
violation indicates that the program is inadequate or
Random, isolated apparent violations do not require
substantially ineffective. Furthermore, these deficiencies,
lengthy explanations or write-ups in the Report of
if uncorrected, significantly impair the institution’s ability
Examination. In such cases, the section of the regulation
to detect and prevent potential money laundering or
violated, and identification of the transaction and/or
terrorist financing activities.
instance will suffice. Examiners are also encouraged to
group violations by type. When there are several
An apparent violation of Section 326.8(b)(2) should be
exceptions to a particular section of the regulation, for
cited when weaknesses and deficiencies cited in the
example, late CTR filing, examiners should include a
Customer Identification Program mitigate the institution’s
minimum of three examples in the Report of Examination
ability to reasonably establish, verify and record customer
citation. The remainder of the violations under that
identity. An apparent violation of 326.8(b)(2) would
specific regulation can be listed as a total, without detailing
generally be associated with specific weaknesses that
all of the information. For example, detail three late CTR
would be reflected in apparent violations of 31 CFR
filings with customer information, dates, and amounts, but
103.121, which establishes the minimum requirements for
list a total in the apparent violation write-up for 55
Customer Identification Programs.
instances identified during the examination.
An apparent violation of Section 326.8(c) should be cited
If an examiner chooses not to include each example in the
for a specific program deficiency to the extent that
apparent violation citation, the examiners should provide

Bank Secrecy Act (12-04) 8.1-34 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
deficiency is attributed to internal controls, independent
testing, individual responsible for monitoring day-to-day Civil penalties for negligence and willful violations of BSA
compliance, or training. If an apparent violation of Section are detailed in 31 CFR 103.57. This section states that
326.8(c) is determined to be an isolated program weakness negligent violations of any regulations under 31 CFR 103
that does not significantly impair the effectiveness of the shall not exceed $500. Willful violations for any reporting
overall compliance program, then a Section 326.8(b) requirement for financial institutions under 31 CFR 103
should not be cited. If one or more program violations are can be assessed a civil penalty up to $100,000 and no less
cited under Section 326.8(c), or are accompanied by than $25,000. CMPs may also be imposed by the FDIC for
notable infractions of Treasury’s regulation 31 CFR 103, violations of final Cease and Desist Orders issued under
or management is unwilling or unable to correct the our authority granted in Section 8(s) of the Federal Deposit
reported deficiencies, the aggregate citations would likely Insurance Act (FDI Act). In these cases, the penalty is
point toward an ineffective program and warrant the established by Section 8(i)(2) of the FDI Act at up to
additional citing of a 326.8(b) program violation, in $5,000 per day for each day the violation continues.
addition to the other program, and/or financial Recommendations for civil money penalties for violations
recordkeeping violations. of Cease and Desist Orders should be handled in
accordance with outstanding FDIC Directives.
When preparing written comments related to apparent
violations cited as a result of deficient BSA compliance Furthermore, Section 363 of the USA PATRIOT Act
program, as defined in Section 326.8, the following increases the maximum civil and criminal penalties from
information should be included in each citation: $100,000 to up to $1,000,000 for violations of the
following sections of the USA PATRIOT Act:
• Nature of the violation(s);
• Name(s) of the individual(s) responsible for • Section 311: Special measures enacted by the Treasury
coordinating and monitoring compliance with the BSA for jurisdictions, financial institutions, or international
(BSA officer); transactions or accounts of primary money laundering
• Specific internal control deficiencies that contributed concern;
to the apparent violation(s); and • Section 312: Special due diligence for correspondent
• Management’s response, including planned or taken accounts and private banking accounts; and
corrective action. • Section 313: Prohibitions on U.S. correspondent
accounts with foreign shell banks.
BSA Workpapers Evidencing Apparent Violations
Referring Significant Violations of the BSA to FinCEN
BSA examination workpapers that support BSA/AML
apparent violation citations, enforcement actions, SARs, Financial institutions that are substantially noncompliant
and CMP referrals to the Treasury should be maintained with the BSA should be reviewed by the FDIC for
for 5 years, since they may be needed to assist further recommendation to FinCEN regarding the issuance of
investigation or other supervisory response. Examination CMPs. FinCEN is the administrator of the BSA and has
workpapers should not generally be included as part of a the authority to assess CMPs against any domestic
SAR, enforcement action recommendation, or Treasury financial institution, including any insured U.S. branch of a
referral, but may be requested for additional supporting foreign bank, and any partner, director, officer, or
information during a law enforcement investigation. employee of a domestic financial institution for violations
of the BSA and implementing regulations. Criminal
Civil Money Penalties and prosecution is also authorized, when warranted. However,
referrals to FinCEN do not preclude the FDIC from using
Referrals to FinCEN
its authority to take formal administrative action.
When significant apparent violations of the BSA, or cases
Factors to consider for determining when a referral to
of willful and deliberate violations of 31 CFR 103 or
FinCEN is warranted and the guidelines established for
Section 326.8 of the FDIC’s Rules and Regulations are
preparing and forwarding referral documentation are
identified at a state nonmember financial institution,
detailed in examiner guidance. When examiners identify
examiners should determine if a recommendation for
serious BSA program weaknesses at an institution,
CMPs is appropriate. This assessment should be
including significant apparent violations, the examiner
conducted in accordance with existing examiner guidance
should consult with the Regional SACM before proceeding
for consideration of CMPs, detailed within the DSC
further.
Manual.

DSC Risk Management Manual of Examination Policies 8.1-35 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Volunteer reporting by the institution of apparent
Generally, a referral should be considered when the types violations discovered on its own during the course of
and nature of apparent violations of the BSA result from a internal audits. This does not apply to situations
nonexistent or seriously deficient BSA and anti-money where examiners disclose apparent violations and the
laundering compliance program; expose the financial institution comes forward voluntarily to head off a
institution to a heightened level of risk for potential money possible referral.
laundering activity; or demonstrate a willful or flagrant • Positive efforts to assist law enforcement, including
disregard for the requirements of the BSA. Normally, the reporting of suspicious transactions and the filing
isolated incidences of noncompliance should not be of Suspicious Activity Reports.
referred for penalty consideration. Even if the type of
violation was cited previously, referral would not be It should be noted that FinCEN does not categorize
appropriate if the apparent violations involved are genuine violations as substantive or technical. However, FinCEN
misunderstandings of the BSA requirements or inadvertent does recognize the varying nature of violations and the fact
violations, the deficiencies are correctable in the normal that not all violations require a referral.
course of business and proper corrective action has been
taken or committed to by management. Content of a Well-Developed Referral

A referral may be warranted in the absence of previous A well-developed referral is one that contains sufficient
violations if the nature of apparent violations identified at detail to permit FinCEN to ascertain: the number, nature
the current examination is serious. An example would be and severity of apparent violations cited; the overall level
failing to file FinCEN Form 104, Currency Transaction of BSA compliance; the severity of any weaknesses in the
Report, on nonexemptible businesses or businesses that, financial institution’s compliance program; and the
while exemptible, FinCEN, as a matter of policy will not financial institution’s ability to achieve a satisfactory level
authorize the financial institution to exempt. To illustrate, of compliance in the future.
the failure to file CTRs on transactions involving an
individual or automobile dealer (both nonexemptible) is of A summary memorandum detailing these issues should be
greater concern to FinCEN than a failure to file CTRs on a prepared by the field examiner and submitted to the
recently opened supermarket which has not yet been added Regional Office for review. At a minimum, each referral
to the bank’s exempt list or a golf course where the should include a copy of this memorandum, the Report of
financial institution believed that it qualified for a Examination pages that discuss BSA findings, and a civil
unilateral exemption as a sports arena. This doesn’t mean monetary penalty assessment. Documents contained in the
that the failure to file CTRs on a supermarket should never referral package need to be conclusion-oriented and
be referred. Failure to file CTRs on a supermarket that is a descriptive with facts supporting summary conclusions. It
front for organized crime, that has no customers yet has is not sufficient to say that the financial institution has
large receipts, or that has currency transaction activity that written policies and procedures or that management
far exceeds its expected revenues would warrant referral. provides training to employees. Referrals are much more
useful when they discuss the specific deficiencies identified
Mitigating Factors to Consider within the compliance programs, policies and procedures,
systems, management involvement, and training.
Other considerations in, deciding whether to recommend
criminal/civil penalties include the financial institution’s Discussing the Referral Process with
past history of compliance, and whether the current system Financial Institution Management
of policies, procedures, systems, internal controls, and
training are sufficient to ensure a satisfactory level in the Examiners should not advise the financial institution that a
future. Senior management’s attitude and commitment civil money penalty referral is being submitted to FinCEN.
toward compliance as evidenced by their involvement and If an investigation by law enforcement is warranted, it may
devotion of resources to compliance programs should also be compromised by disclosure of this information. It is
be considered. Any mitigating factors should be given full permissible to tell management that FinCEN will be
consideration. Mitigating factors would include: notified of all apparent violations of the BSA cited.
However, examiners are not to provide any oral or written
• The implementation of a comprehensive compliance communication to the financial institution passing
program that ensures a high level of compliance judgment on the willfulness of apparent violations.
including a system for aggregating currency
transactions. Criminal Penalties

Bank Secrecy Act (12-04) 8.1-36 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
decision should be maintained at the Regional Office and a
Treasury regulation 31 CFR 103.59 notifies institutions copy of that documentation submitted to the Special
that they can be subject to criminal penalties if convicted Activities Section in Washington, D.C.
for willful violations of the BSA of not more than $1,000
and/or one year in prison. If such a BSA violation is Memoranda of Understanding (MOU) and
committed to further any other Federal law punishable by Board Resolutions (BBR)
more than a year in prison (such as fraud, money
laundering, theft, illegal narcotics sales, etc.) then harsher In certain cases, the Regional Office may determine that a
penalties can be imposed. In these cases, the perpetrator, BBR or a MOU is an appropriate action to deal with an
upon conviction, can be fined not more than $10,000 institution’s BSA weaknesses. BBRs should only be used
and/or be imprisoned not more than 5 years. in circumstances where recommendations are minor and do
not affect the overall adequacy of the institution’s BSA
In addition, criminal penalties may also be charged against compliance program. Unlike a BBR, a MOU is a bi-lateral
any person who knowingly makes any false, fictitious, or agreement between the financial institution and the FDIC.
fraudulent statement or representation in any BSA report. When the Regional Office deems that a MOU is
Upon conviction of such an act, the perpetrator may be appropriate, the examiners, reviewer, the Regional SACM,
fined not more than $10,000 and/or imprisoned for 5 years. and the Regional legal department may work together to
formulate the provisions of the action and obtain
Certain violations of the BSA allow for the U.S. appropriate approvals as soon as possible after the
Government to seize the funds related to the crime. The examination.
USA PATRIOT Act amended the BSA to provide for
funds forfeiture in cases dealing with foreign crimes, U.S. Cease and Desist Orders
interbank accounts, and in connection with some currency
transaction reporting violations. Furthermore, the U.S. Section 8(s) of the FDI Act grants the FDIC the power to
Government can seize currency or other monetary issue Cease and Desist Orders solely for the purpose of
instruments physically transported into or out of the U.S. correcting BSA issues at state nonmember banks. In
when required BSA reports go unfiled or contain material situations where BSA/AML program weaknesses expose
omissions or misstatements. the institution to an elevated level of risk to potential
money laundering activity, are repeatedly cited at
Supervisory Actions consecutive examinations, or demonstrate willful
noncompliance or negligence by management, a Section
The FDIC has the authority to address less than adequate 8(b) Order to Cease and Desist should be considered by the
compliance with the BSA through various formal or Regional Office. Cases referred to FinCEN for civil
informal administrative actions. If a specific violation of money penalties should also be reviewed for formal
Section 326.8 or 31 CFR 103 is not corrected or the same supervisory action.
provision of a regulation is cited from one examination to
the next, Section 8(s) of the FDI Act requires the FDIC to When a Cease and Desist Order is deemed to be
consider formal enforcement action as described in Section appropriate, the examiners, reviewer, the Regional SACM,
8(b) or 8(c) of the FDI Act. However, the FDIC has and the Regional legal department should work together to
determined that informal enforcement action, such as a formulate the provisions of the action and obtain
Board Resolution or a Memorandum of Understanding appropriate approvals as soon as possible after the
may be a more appropriate supervisory response, given examination. Specific details are contained in the Formal
related circumstances and events, which may serve as and Informal Actions Procedures (FIAP) Manual.
mitigating factors.
Removal/Prohibition Orders
Violations of a technical and limited nature would not
necessarily reflect an inadequate BSA program; as such, it If deficiencies or apparent violations of Section 326.8 or
is important to look at the type and number of violations 31 CFR 103 involve negligent or egregious action or
before determining the appropriate administrative action. inaction by institution-affiliated parties (IAPs), other
If the Regional Office reviews a case with significant formal actions may be appropriate. In such situations
violations, it should determine whether an enforcement where the IAP exposes the institution to an elevated risk of,
action is necessary. Under such circumstances, if the or has facilitated or participated in actual transactions
Regional Office determines that a Cease and Desist action involving money laundering activity, utilization of Section
is not appropriate, then documentation supporting that

DSC Risk Management Manual of Examination Policies 8.1-37 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
8(e) of the FDI Act, a removal/prohibition action, should causes or attempts to cause a financial institution to fail to
be considered. file a CTR, or causes the financial institution to file a CTR
that contains a material omission or misstatement of fact, is
In cases where apparent violations of Section 326.8 and/or subject to the criminal and civil violations of the BSA
31 CFR Section 103 have been committed by an IAP(s) regulations. Financial institutions are required by the BSA
and appear to involve criminal intent, examiners should to have monitoring procedures in place to identify
contact the Regional SACM or other designees about filing structured transactions.
a SAR on the IAP(s). If the involvement of the IAP(s) in
the criminal activity warrants, the Regional Office should Knowledge of the three stages of money laundering
also consider contacting the Federal Bureau of (discussed below) has multiple benefits for financial
Investigation (FBI) or other Federal law enforcement institutions. These benefits include, but are not limited to,
agency via phone or letter to provide them a referral of the the following:
SAR and indicate the FDIC’s interest in pursuit of the case.
• Identification and reporting of illicit activities to
FinCEN,
IDENTIFICATION OF SUSPICIOUS • Prevention against losses stemming from fraud,
TRANSACTIONS • Prevention against citation of apparent violations of
BSA and SAR regulations, and
Effective BSA/AML compliance programs include • Prevention against assessment of CMPs by FinCEN
controls and measures to identify and report suspicious and/or the FDIC.
transactions in a timely manner. An institution should have
in place a CDD program sufficient to be able to make an The following discussions and “red flag” lists, while not
informed decision about the suspicious nature of a all-inclusive, identify various types of suspicious
particular transaction. This section highlights unusual or activity/transactions. These lists are intended to serve as a
suspicious activities and transactions that may indicate reference tool and should not be used to make immediate
potential money laundering through structured transactions, and definitive conclusions that a particular activity or
terrorist financing, and other schemes designed for illicit series of transactions is illegal. They should be viewed as
purposes. Often, individuals involved in suspicious potentially suspicious warranting further review. The
activity will use a combination of several types of unusual activity/transactions may not be suspicious if they are
transactions in an attempt to confuse or mislead anyone consistent with a customer’s legitimate business.
attempting to identify the true nature of their activities.
The Three Stages of Money Laundering
Structuring is the most common suspicious activity
reported to FinCEN. Structuring is defined as breaking There are three stages in typical money laundering
down a sum of currency that exceeds the $10,000 CTR schemes:
reporting level per the regulation, into a series of
transactions at or less than $10,000. The transactions do 1. Placement,
not need to occur on any single day in order to constitute 2. Layering, and
structuring. Money launderers have developed many ways 3. Integration.
to structure large amounts of cash to evade the CTR
reporting requirements. Examiners should be alert to Placement
multiple cash transactions that exceed $10,000, but may
involve other monetary instruments, bank official checks, Placement, the first stage of money laundering, involves
travelers’ checks, savings bonds, loans and loan payments, the placement of bulk cash into the financial system
or even securities transactions as the offsetting entry. The without the appearance of being connected to a criminal
transactions could also involve the exchange of small bank activity. There are many ways cash can be placed into the
notes for large ones, but in amounts less than $10,000. system. The simplest way is to deposit cash into a
Structuring of cash transactions to evade CTR filing financial institution; however, this is also one of the riskier
requirements is often the easiest of suspicious activities to ways to get caught laundering money. To avoid notice,
identify. It is subject to criminal and civil violations of the banking transactions involving cash are likely to be
BSA regulations as implemented within 31 CFR 130.63. conducted in amounts under the CTR reporting thresholds;
This regulation states that any person who structures or this activity is referred to as “structuring.”
assists in structuring a currency transaction at a financial
institution for the purpose of evading CTR reporting, or

Bank Secrecy Act (12-04) 8.1-38 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Furthermore, the use of false identities to conduct these • Obtaining certificate of deposit (CD) secured loans
transactions is common; banking officers should be vigilant and depositing the loan disbursement check into an
in looking for false identification documents. In an attempt account (when the loan is defaulted on, there is no loss
to conceal their activities, money launderers will often to the bank); and
resort to “smurfing” activities to get illicit funds into a • Depositing a refund check from a canceled vacation
financial institution. “Smurfing” is the process of using package or insurance policy.
several individuals to deposit illicit cash proceeds into
many accounts at one or several financial institutions in a Layering transactions may become very complex and
single day. involve several of these methods to hide the trail of funds.

Furthermore, cash can be exchanged for traveler’s checks, Integration

food stamps, or other monetary instruments, which can
then also be deposited into financial institutions. The third stage of money laundering is integration, which
Placement can also be done by purchasing goods or typically follows the layering stage. However, as
services, such as a travel/vacation package, insurance mentioned in the discussion of the placement stage,
policies, jewelry, or other “high-ticket” items. These integration can be accomplished simultaneously with the
goods and services can then be returned to the place of placement of funds. After the funds have been placed into
purchase in exchange for a refund check, which can then the financial system and insulated through the layering
be deposited at a financial institution with less likelihood process, the integration phase is used to create the
of detection as being suspicious. Smuggling cash out of a appearance of legality through additional transactions such
country and depositing that cash into a foreign financial as loans, or real estate deals. These transactions provide
institution is also a form of placement. Illegally-obtained the criminal with a plausible explanation as to where the
funds can also be funneled into a legitimate business as funds came from to purchase assets and shield the criminal
cash receipts and deposited without detection. This type of from any type of recorded connection to the funds.
activity actually combines placement with the other two
stages of money laundering, layering and integration, During the integration stage, the funds are returned in a
discussed below. usable format to the criminal source. This process can be
achieved through various schemes, such as:
Layering
• Inflating business receipts,
The second stage of money laundering is typically layering. • Overvaluing and undervaluing invoices,
This stage is the process of moving and manipulating funds • Creating false invoices and shipping documents,
to confuse their sources as well as complicating or partially • Establishing foreign trust accounts,
eliminating the paper trail. Layering may involve moving • Establishing a front company or phony charitable
funds in various forms through multiple accounts at organization, and
numerous financial institutions, both domestic and • Using gold bullion schemes.
international, in a complex series of transactions.
Examples of layering transactions include: These schemes are just a few examples of the integration
stage; the possibilities are not limited.
• Transferring funds by check or monetary instrument;
• Exchanging cashier’s checks and other monetary
Money Laundering Red Flags
instruments for other cashier’s checks, larger or
smaller, possibly adding additional cash or other
Some activities and transactions that are presented to a
monetary instruments in the process;
financial institution should raise the level of concern
• Performing intrabank transfers between accounts
regarding the possibility of potential money laundering
owned or controlled by common individuals (for
activity. Evidence of these “red flags” in an institution’s
example, telephone transfers);
accounts and transactions should prompt the institution,
• Performing wire transfers to accounts under various and examiners reviewing such activity, to consider the
customer and business names at other financial possibility of illicit activities. While these red flags are not
institutions; evidence of illegal activity, these common indicators
• Transferring funds outside and possibly back into the should be part of an expanded review of suspicious
U.S. by various means such as wire transfers, activities.
particularly through “secrecy haven” countries;
General

DSC Risk Management Manual of Examination Policies 8.1-39 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Transactions should be consistent with the customer’s
• Refusal or reluctance to proceed with a known business or income level.
transaction, or abruptly withdrawing a
transaction. A customer may be reluctant to proceed, • Transactions by non-account holders. A non-
or may even withdraw all or a portion of a transaction account holder conducts or attempts to conduct
after being informed that a CTR will be filed, or that transactions such as currency exchanges, the purchase
the purchase of a monetary instrument will be or redemption of monetary instruments, with no
recorded. This action would be taken to avoid BSA apparent legitimate reason.
reporting and recordkeeping requirements.
Cash Management: Branch and Vault Shipments
• Customer refusal or reluctance to provide
information or identification. A customer may be • Change in currency shipment patterns. Significant
reluctant, or even refuse to provide identifying changes in currency shipment patterns between vaults,
information when opening an account, cashing a branches and/or correspondent banks as noted on cash
check, recording the purchase of a monetary shipment records may indicate a potential money
instrument, or providing information necessary to file laundering scheme occurring in a particular location.
a CTR.
• Large increase in the cash supply. A large,
• Structured or recurring, non-reportable sustained increase in the cash balance would normally
transactions. An individual or group may attempt to cause some increase in the number of CTRs filed.
avoid BSA reporting and recordkeeping requirements Another example of a red flag in this area would be a
by breaking up, or structuring a currency transaction rapid increase in the size and frequency of cash
or purchase of monetary instruments in amounts less deposits with no corresponding increase in non-cash
than the reporting/recordkeeping thresholds. deposits.
Transactions may also be conducted with multiple
banks, branches, customer service representatives, • Currency shipments to or from remote locations.
accounts, and/or on different days in an attempt to Unusually large transactions between a small, remote
avoid reporting requirements. bank and a large metropolitan bank may also indicate
potential money laundering.
• Multiple third parties conducting separate, but
related, non-reportable transactions. Two or more • Significant exchanges of small denomination bills
individuals may go to different tellers or branches and for large denomination bills. Significant increases
each conduct transactions just under the resulting from the exchange of small denominations
reporting/recordkeeping threshold. (This activity is for large denominations may be reflected in the cash
often referred to as “smurfing.”) shipment records.

• Even dollar amount transactions. Numerous • Significant requirement for large bills. Branches
transactions are conducted in even dollar amounts. whose large bill requirements are significantly greater
than the average may be conducting large currency
• Transactions structured to lose the paper trail. exchanges. Branches that suddenly stop shipping
The bank may be asked to process internal debits or large bills may be using them for currency exchanges.
credits containing little or no description of the
transaction in an attempt to “separate” a transaction • International cash shipments funded by multiple
from its account. monetary instruments. This involves the receipt of
funds in the form of multiple official bank checks,
• Significant increases in the number or amount of cashier’s checks, traveler’s checks, or personal checks
transactions. A large increase in the number or that are drawn on or issued by U.S. financial
amount of transactions involving currency, the institutions. They may be made payable to the same
purchase of monetary instruments, wire transfers, etc., individual or business, or related individuals or
may indicate potential money laundering. businesses, and may be in U.S. dollar amounts that are
below the BSA reporting/recordkeeping threshold.
• Transactions which are not consistent with the Funds are then shipped or wired to a financial
customer’s business, occupation, or income level. institution outside the U.S.

Bank Secrecy Act (12-04) 8.1-40 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Other unusual domestic or international apparent legitimate reason for opening an account with
shipments. A customer requests an outgoing the bank.
shipment or is the beneficiary of a shipment of
currency, and the instructions received appear • Customers with multiple accounts. A customer
inconsistent with normal cash shipment practices. For maintains multiple accounts at a bank or at different
example, the customer directs the bank to ship the banks for no apparent legitimate reason. The accounts
funds to a foreign country and advises the bank to may be in the same names or in different names with
expect same day return of funds from sources different different signature authorities. Routine inter-account
than the beneficiary named, thereby changing the transfers provide a strong indication of accounts under
source of the funds. common control.

• Frequent cash shipments with no apparent • Frequent deposits or withdrawals with no apparent
business reason. Frequent use of cash shipments that business source. The customer frequently deposits or
is not justified by the nature of the customer’s business withdraws large amounts of currency with no apparent
may be indicative of money laundering. business source, or the business is of a type not known
to generate substantial amounts of currency.
Currency Exchanges and Other Currency Transactions
• Multiple accounts with numerous deposits under
• Unusual exchange of denominations. An individual $10,000. An individual or group opens a number of
or group seeks the exchange of small denomination accounts under one or more names, and makes
bills (five, ten and twenty dollar bills) for large numerous cash deposits just under $10,000, or
denomination bills (hundred dollar bills), without any deposits containing bank checks or traveler’s checks,
apparent legitimate business reason. or a combination of all of these.

• Check cashing companies. Large increases in the • Numerous deposits under $10,000 in a short period
number and/or amount of cash transactions for check of time. A customer makes numerous deposits under
cashing companies. $10,000 in an account in short periods of time, thereby
avoiding the requirement to file a CTR. This includes
• Unusual exchange by a check cashing service. No deposits made at an ATM.
exchange or cash back for checks deposited by an
individual who owns a check cashing service can • Accounts with a high volume of activity and low
indicate another source of cash. balances. Accounts with a high volume of activity,
which carry low balances, or are frequently
• Suspicious movement of funds. Suspicious overdrawn, may be indicative of money laundering or
movement of funds out of one financial institution, check kiting.
into another financial institution, and back into the
first financial institution can be indicative of the • Large deposits and balances. A customer makes
layering stage of money laundering. large deposits and maintains large balances with little
or no apparent justification.
Deposit Accounts
• Deposits and immediate requests for wire transfers
• Minimal, vague or fictitious information provided. or cash shipments. A customer makes numerous
An individual provides minimal, vague, or fictitious deposits in an account and almost immediately
information that the financial institution cannot readily requests wire transfers or a cash shipment from that
verify. account to another account, possibly in another
country. These transactions are not consistent with the
• Lack of references or identification. An individual customer’s legitimate business needs. Normally, only
attempts to open an account without references or a nominal amount remains in the original account.
identification, gives sketchy information, or refuses to
provide the information needed by the financial • Numerous deposits of small incoming wires or
institution. monetary instruments, followed by a large
outgoing wire. Numerous small incoming wires
• Non-local address. The individual does not have a and/or multiple monetary instruments are deposited
local residential or business address and there is no

DSC Risk Management Manual of Examination Policies 8.1-41 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
into an account. The customer then requests a large • Client, trust and escrow accounts. Substantial cash
outgoing wire to another institution or country. deposits by a professional customer into client
accounts, or in-house company accounts, such as trust
• Accounts used as a temporary repository for funds. and escrow accounts.
The customer appears to use an account as a
temporary repository for funds that ultimately will be • Large amount of food stamps. Unusually large
transferred out of the financial institution, sometimes deposits of food stamps, which may not be consistent
to foreign-based accounts. There is little account with the customer’s legitimate business.
activity.
Lending
• Funds deposited into several accounts, transferred
to another account, and then transferred outside of • Certificates of deposits used as collateral. An
the U.S. This involves the deposit of funds into individual buys certificates of deposit and uses them as
several accounts, which are then combined into one loan collateral. Illegal funds can be involved in either
account, and ultimately transferred outside the U.S. the certificate of deposit purchase or utilization of loan
This activity is usually not consistent with the known proceeds.
legitimate business of the customer.
• Sudden/unexpected payment on loans. A customer
• Disbursement of certificates of deposit by multiple may suddenly pay down or pay off a large loan, with
bank checks. A customer may request disbursement no evidence of refinancing or other explanation.
of the proceeds of a certificate of deposit or other
investments in multiple bank checks, each at or under • Reluctance to provide the purpose of the loan or
$10,000. The customer can then negotiate these the stated purpose is ambiguous. A customer
checks elsewhere for currency. The customer avoids seeking a loan with no stated purpose may be trying to
the CTR requirements and severs the paper trail. conceal the true nature of the loan. The BSA requires
the bank to document the purpose of all loans over
• Early redemption of certificates of deposits. A $10,000, with the exception of those secured by real
customer may request early redemption of certificates property.
of deposit or other investments within a relatively
short period of time from the purchase date of the • Inconsistent or inappropriate use of loan proceeds.
certificate of deposit or investment. The customer There may be cases of inappropriate disbursement of
may be willing to lose interest and incur penalties as a loan proceeds, or disbursements for purposes other
result of the early redemption. than the stated loan purpose.

• Sudden, unexplained increase in account activity or • Overnight loans. A customer may use “overnight”
balance. There may be a sudden, unexplained loans to create high balances in accounts.
increase in account activity, both from cash and from
non-cash items. An account may be opened with a • Loan payments by third parties. Loans that are paid
nominal balance that subsequently increases rapidly by a third party could indicate that the assets securing
and significantly. the loan are really those of a third party, who may be
attempting to conceal ownership of illegally, gained
• Limited use of services. Frequent large cash deposits funds.
are made by a corporate customer, who maintains high
balances but does not use the financial institution’s • Loan proceeds used to purchase property in the
other services. name of a third party, or collateral pledged by a
third party. A customer may use loan proceeds to
• Inconsistent deposit and withdrawal activity. purchase, or may pledge as collateral, real property in
Retail businesses may deposit numerous checks, but the name of a trustee, shell corporation, etc.
there will rarely be withdrawals for daily operations.
• Permanent mortgage financing with an unusually
• Strapped currency. Frequent deposits of large short maturity, particularly in the case of large
amounts of currency, wrapped in currency straps that mortgages.
have been stamped by other financial institutions.

Bank Secrecy Act (12-04) 8.1-42 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Structured down payments or escrow money
transactions. An attempt to “structure” a down • Incomplete or fictitious information. The customer
payment or escrow money transaction may be made in may conduct transactions involving monetary
order to conceal the true source of the funds used. instruments that are incomplete or contain fictitious
payees, remitters, etc.
• Attempt to sever the paper trail. Attempts may be
made by the customer or bank to sever any paper trail • Large cash amounts. The customer may purchase
connecting a loan to the collateral. cashier’s checks, money orders, etc., with large
amounts of cash.
• Wire transfer of loan proceeds. A customer may
request that loan proceeds be wire transferred for no Safe Deposit Boxes
apparent legitimate reason.
• Frequent visits. The customer may visit a safe
• Disbursement of loan proceeds by multiple bank deposit box on an unusually frequent basis.
checks. A customer may request disbursement of loan
proceeds in multiple bank checks, each under $10,000. • Out-of-area customers. Safe deposit boxes may be
The customer can then negotiate these checks opened by individuals who do not reside or work in
elsewhere for currency. The customer avoids the the banks service area.
currency transaction reporting requirements and severs
the paper trail. • Change in safe deposit box traffic pattern. There
may be traffic pattern changes in the safe deposit box
• Loans to companies outside the U.S. Unusual loans area. For example, more people may enter or enter
to offshore customers, and loans to companies more frequently, or people carry bags or other
incorporated in “secrecy havens” are higher risk containers that could conceal large amounts of cash.
activities.
• Large amounts of cash maintained in a safe deposit
• Financial statement. Financial statement box. A customer may access the safe deposit box after
composition of a business differs greatly from those of completing a transaction involving a large withdrawal
similar businesses. of cash, or may access the safe deposit box prior to
making cash deposits which are just under $10,000.
Monetary Instruments
• Multiple safe deposit boxes. A customer may rent
• Structured purchases of monetary instruments. An multiple safe deposit boxes if storing large amounts of
individual or group purchases monetary instruments currency.
with currency in amounts below the $3,000 BSA
recordkeeping threshold. Wire Transfers

• Replacement of monetary instruments. An • Wire transfers to countries widely considered

individual uses one or more monetary instruments to “secrecy havens.” Transfers of funds to well known
purchase another monetary instrument(s). “secrecy havens.”

• Frequent purchase of monetary instruments • Incoming/outgoing wire transfers with instructions

without apparent legitimate reason. A customer to the receiving institution to pay upon proper
may repeatedly buy a number of official bank checks identification. The instructions to the receiving bank
or traveler’s checks with no apparent legitimate are to “pay upon proper identification.” If paid for in
reason. cash, the amount may be just under $10,000 so no
CTR is required. The purchase may be made with
• Deposit or use of multiple monetary instruments. numerous official checks or other monetary
The deposit or use of numerous official bank checks or instruments. The amount of the transfer may be large,
other monetary instruments, all purchased on the same or the funds may be sent to a foreign country.
date at different banks or different issuers of the
instruments may indicate money laundering. These • Outgoing wire transfers requested by non-account
instruments may or may not be payable to the same holders. If paid in cash, the amount may be just under
individual or business. $10,000 to avoid the CTR filing requirement.

DSC Risk Management Manual of Examination Policies 8.1-43 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
Alternatively, the transfer may be paid with several individuals or businesses, in U.S. dollar amounts that
official checks or other monetary instruments. The are below the BSA reporting threshold. The funds are
funds may be directed to a foreign country. then wired to a financial institution outside the U.S.

• Frequent wire transfers with no apparent business • Other unusual domestic or international funds
reason. A customer’s frequent wire transfer activity is transfers. The customer requests an outgoing wire or
not justified by the nature of their business. is the beneficiary of an incoming wire, and the
instructions appear inconsistent with normal wire
• High volume of wire transfers with low account transfer practices. For example, the customer directs
balances. The customer requests a high volume of the bank to wire the funds to a foreign country and
incoming and outgoing wire transfers but maintains advises the bank to expect same day return of funds
low or overdrawn account balances. from sources different than the beneficiary named,
thereby changing the source of the funds.
• Incoming and outgoing wires in similar dollar
amounts. There is a pattern of wire transfers of • No change in form of currency. Funds or proceeds
similar amounts both into and out of the customer’s of a cash deposit may be wired to another country
account, or related customer accounts, on the same day without changing the form of currency.
or next day. The customer may receive many small
incoming wires, and then order a large outgoing wire Other Activities Involving Customers and Bank Employees
transfer to another city or country.
• Questions or discussions on how to avoid
• Large wires by customers operating a cash reporting/recordkeeping. This involves discussions
business. Could involve wire transfers by customers by individuals about ways to bypass the filing of a
operating a mainly cash business. The customers may CTR or recording the purchase of a monetary
be depositing large amounts of currency. instrument.

• Cash or bearer instruments used to fund wire • Customer attempt to influence a bank employee
transfers. Use of cash or bearer instruments to fund not to file a report. This would involve any attempt
wire transfers may indicate money laundering. by an individual or group to threaten, bribe, or
otherwise corruptly influence a bank employee to
• Unusual transaction by correspondent financial bypass the filing of a CTR, the recording of purchases
institutions. Suspicious transactions may include: (1) of monetary instruments, or the filing of a SAR.
wire transfer volumes that are extremely large in
proportion to the asset size of the bank; (2) when the • Lavish lifestyles of customers or bank employees.
bank’s business strategy and financial statements are Lavish lifestyles of customers or employees, which are
inconsistent with a large volume of wire transfers, not supported by their current salary, may indicate
particularly outside the U.S.; or (3) a large volume of possible involvement in money laundering activities.
wire transfers of similar amounts in and out on the
same or next day. • Short-term or no vacations. A bank employee may
be reluctant to take any vacation time or may only take
• International funds transfer(s) which are not short vacations (one or two days).
consistent with the customer’s business.
International transfers, to or from the accounts of • Circumvention of internal control procedures.
domestic customers, in amounts or with a frequency Overrides of internal controls, recurring exceptions,
that is inconsistent with the nature of the customer’s and out-of-balance conditions may indicate money
known legitimate business activities could indicate laundering activities. For example, bank employees
money laundering. may circumvent wire transfer authorizations and
approval policies, or could split wire transfers to avoid
• International transfers funded by multiple ceiling limitations.
monetary instruments. This involves the receipt of
funds in the form of multiple official bank checks, • Incorrect or incomplete CTRs. Employees may
traveler’s checks, or personal checks that are drawn on frequently submit incorrect or incomplete CTRs.
or issued by U.S. financial institutions and made
payable to the same individual or business, or related Terrorist Financing Red Flags

Bank Secrecy Act (12-04) 8.1-44 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
activities, or violations of the BSA. However, if a financial
Methods used by terrorists to generate funds can be both institution insider is involved in the suspicious
legal and illegal. In the U.S., it is irrelevant whether transaction(s), a SAR must be filed at any transaction
terrorist funding is obtained legally or illegally; any funds amount. Other suspected criminal activity requires filing a
provided to support terrorist activity are considered to be SAR if the transactions aggregate $5,000 or more and a
laundered money. Funding from both legal and illegal suspect can be identified. If the financial institution is
sources must be laundered by the terrorist in order to unable to identify a suspect, but believes it was an actual or
obscure links between the terrorist group (or cell) and its potential victim of a criminal violation, then a SAR must
funding sources and uses. Terrorists and their support be filed for transactions aggregating $25,000 or more.
organizations typically use the same methods that criminal Although these are the required transaction levels for filing
groups use to launder funds. In particular, terrorists appear a SAR, a financial institution may voluntarily file a SAR
to favor: for suspicious transactions below these thresholds. SAR
filings are not used for reporting robberies to local law
• Cash smuggling, both by couriers or in bulk cash enforcement, or for lost, counterfeit, or stolen securities
shipments; that are reported pursuant to 17 CFR 240.17f-1.
• Structured deposits and/or withdrawals;
• Purchases of monetary instruments; If the suspicious transaction involves currency and exceeds
• Use of credit and/or debit cards; and $10,000, the financial institution will also need to file a
• Use of underground banking systems. CTR in addition to a SAR.

For suspected money laundering and violations of the

While it is not the primary function of an examiner to
BSA, a financial institution must file a SAR, if it knows,
identify terrorist financing while examining an institution
suspects, or has reason to suspect that:
for BSA compliance, examiners and financial institution
management should be cognizant of suspicious activities or
unusual transactions that are common indicators of terrorist • The transaction involves funds derived from illegal
financing. Institutions are encouraged to incorporate activities or is intended or conducted in order to
procedures into their BSA/AML compliance programs that conceal funds or assets derived from illegal activities
address notifying the proper Federal agencies when serious (including without limitation, the ownership, nature,
concerns of terrorist financing activities are encountered. source, location, or control of such funds or assets), as
At a minimum, these procedures should require the part of a plan to violate or evade any Federal law or
institution to contact FinCEN’s Financial Institutions regulation or to avoid any transaction reporting
Hotline to report such activities. requirement under Federal law;
• The transaction is designed to evade any regulation
promulgated under the BSA; or
• The transaction has no business or apparent lawful
SUSPICIOUS ACTIVITY REPORTING
purpose or is not the sort of transaction in which the
particular customer would normally be expected to
Part 353 of the FDIC’s Rules and Regulations requires
engage, and the financial institution knows of no
insured state nonmember banks to report known or
reasonable explanation for the transaction after
suspected criminal offenses to the Treasury. The SAR
examining the available facts, including the
form to be used by financial institutions is Form TD F 90-
background and possible purpose of the transaction.
22.47 and is available on the FinCEN website. FinCEN is
the repository for these reports, but content is owned by the
Federal Banking Agencies. The SAR form is used to Preparation of the SAR Form
report many types of suspected criminal violations. Details
of the criminal violations can be found in the Criminal The SAR form requires the financial institution to complete
Violations section of this manual. detailed information about the suspect(s) of the transaction,
the type of suspicious activity, the dollar amount involved,
along with any loss to the financial institution, and
Suspicious Activities and Transactions
information about the reporting financial institution. Part
Requiring SAR Filings V of the SAR form requests a narrative description of the
suspect violation and transactions and is used to document
Among the suspicious activities required to be reported are what supporting information and records the financial
any transactions aggregating $5,000 or more that involve institution retains. This section is considered very critical
potential money laundering, suspected terrorist financing in terms of explaining the apparent criminal activity to law

DSC Risk Management Manual of Examination Policies 8.1-45 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
enforcement and regulatory agencies. The information Similarly, for the date range of suspicious activity, the
provided in this section should be complete, accurate, and financial institution should maintain the original “start”
well-organized. This section should contain additional date and extend the “to” date to include the 90 day period
information on suspects, describe instruments and methods in which the suspicious and reportable activity continued.
of facilitating the transaction, and provide any follow-up
action taken by the financial institution. Data inserts in the Failure to File SARs
form of tables or graphics are discouraged as they are not
compatible with the SAR database at FinCEN. Also, If an examiner determines that a financial institution has
attachments to a SAR form will not be stored in the failed to file a SAR when there is evidence to indicate a
database because they do not conform to the database report should have been filed, the examiner should instruct
format. Consequently, a narrative in Part V that states only the financial institution to immediately file the SAR. If the
“see attached” will result in no meaningful description of financial institution refuses, the examiner should complete
the transaction, rendering the record in this field the SAR and cite violations of Part 353 of the FDIC’s
insufficient. Rules and Regulations, providing limited details of
suspicious activity or the SAR in the Report of
The financial institution is also encouraged to detail a Examination. In instances involving a senior officer or
listing of documentation available that supports the SAR director of the financial institution, examiners may prepare
filing in Part V of the SAR form. This notice will provide the SAR, rather than request the financial institution to do
law enforcement the awareness necessary to ensure timely so in order to ensure that the SAR explains the suspicious
access to vital information, if further investigation results activity accurately and completely. Each Regional Office
from the SAR filing. All documentation supporting the is responsible for monitoring SARs filed within that region.
SAR must be stored by the financial institution for five Examiner-prepared SARs should be forwarded to their
years and is considered property of the U.S. Government. Regional Special Activities Case Manager to ensure timely
and proper filing. Any examiner-prepared SARs and all
FinCEN has provided ongoing guidance on how to prepare supporting documents should be maintained in the field
SAR forms in its publication, “SAR Activity Reviews,” office files for five years.
under a section on helpful hints, tips, and suggestions on
SAR filing. These publications are available at the SAR Filing Methods
FinCEN website. Financial institution management should
be encouraged to review current and past issues as an aid SARs can be filed in paper form, by magnetic tape, or
in properly completing SARs. through the Patriot Act Communications System. Financial
institutions may contact law enforcement and their Federal
SAR Filing Deadlines Banking Agency to notify them of the suspicious activity,
and these contacts should be noted on the SAR form.
By regulation, SAR forms are required to be filed no later
than 30 calendar days after the date of initial detection of Notification to Board of Directors of
facts that may constitute a basis for filing a SAR. If no
suspect was identified on the date of detection of the SAR Filings
incident requiring the filing, a financial institution may
delay filing a SAR for an additional 30 calendar days in Section 353.3 of the FDIC’s Rules and Regulations
order to identify a suspect. In no case shall reporting be requires the financial institution’s board of directors, or
delayed more than 60 days after the date of initial detection designated committee, be promptly notified of any SAR
of a reportable transaction. filed. However, if the subject of the SAR is a senior
officer or member of the board of directors of the financial
Customers Engaging in Ongoing Suspicious Activity institution, notification to the board of directors should be
handled differently in order to avoid violating Federal laws
If a customer’s suspicious activity continues to occur, that prohibit notifying a suspect or person involved in the
FinCEN recommends the financial institution file an update suspicious transaction that forms the basis of the SAR. In
on the activity and amounts every 90 days using the SAR these situations, it is recommended that appropriate senior
form. In such instances, the financial institution should personnel not involved in the suspicious activity be advised
aggregate the dollar amount of previously reported activity of the SAR filing and this process be documented.
and the dollar amount of the newer activity and put this
amount in the box on the SAR requesting “total dollar In cases of financial institutions that file a large volume of
amount involved in known or suspicious activity.” SARs, it is not necessary that the board of directors, or

Bank Secrecy Act (12-04) 8.1-46 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
designated committee thereof, review each and every SAR institutions who participate in preparing and reporting of
document. It is acceptable for the BSA officer to prepare SARs under safe harbor protections. Section 355 of the
an internal tracking report that briefly discusses all of the USA PATRIOT Act, implemented at Section 18(w) of the
SARs filed for a particular month. As long as this tracking FDI Act, established a means by which financial
report is meaningful in content, then the institution will still institutions can share factual information of suspected
be meeting the requirements of Part 353 of the FDIC’s involvement in criminal activity with each other in
Rules and Regulations. Such a report would identify the connection with references for employment. To comply,
following information for each SAR filed: employment references must be written and the disclosure
made without malicious intent. The financial institution
• Customer’s name and any additional suspects; still may not disclose that a SAR was filed. The sharing of
• Social Security Number or TIN; employment information is voluntary and should be done
• Account number (if a customer); under adequate procedures, which may include review by
• The date range of suspicious activity; the institution’s legal counsel to assess potential for claims
• The dollar amount of suspicious activity; of malicious intent.
• Very brief synopsis of reported activity (for example,
“cash deposit structuring” or “wire transfer activity Examination Guidance
inconsistent with business/occupation”); and
• Indication of whether it is a first-time filing or repeat Examiners should ensure that the financial institution has
filing on the customer/suspects. procedures in place to identify and report suspicious
activity for all of the financial institution’s departments and
Such a tracking report promotes efficiency in review of activities. The guidance may be contained in several
multiple SAR filings. Nevertheless, there are still some policies and procedures; however, it may be advisable for
SARs that the board of directors, or designated committee the financial institution to centrally manage the reporting of
thereof, should review individually. Such “significant suspicious activities to ensure that transactions are being
SARs” would include those that involve insiders reported, when appropriate. A single point of contact can
(notwithstanding the guidance above regarding the also expedite law enforcement contacts and requests to
handling of SARs involving board members and senior review specific SARs and their supporting documentation.
management), suspicious activity above an internally
determined dollar threshold, those involving significant As part of its BSA and anti-money laundering programs,
check kiting activity, etc. Financial institutions are the financial institution’s policies should detail procedures
encouraged to develop their own parameters for defining for complying with suspicious activity reporting
“significant SARs” necessitating full reviews; such requirements. These procedures should define reportable
guidance needs to be written and formalized within board suspicious activity. Financial institutions are encouraged
approved BSA policies and procedures. to elaborate and clarify definitions using examples and
discussion of the criminal violations. Parameters to filter
Safe Harbor for Institutions on SAR Filings transactions and review for customer suspicious activity
should also be established. Typically, the criteria will be
A financial institution that files a SAR is accorded safe used to identify exceptions to expected customer and
harbor from civil liability for filing reports of suspected or transaction activity patterns and identify high-risk
known criminal violations and suspicious activities with customers, whose accounts and transactions should be
appropriate authorities. Any financial institution that is subject to enhanced scrutiny. Procedures to facilitate
subpoenaed or otherwise requested to disclose information accurate and timely filing of SARs, as well as to ensure
contained in a SAR or the fact that a SAR was filed to proper maintenance of supporting documentation, should
others shall decline to produce the SAR or provide any also be prescribed. Procedures to document decisions not
information or statements that would disclose that a SAR to file a SAR should also be established. Reporting
has been prepared or filed. This prohibition does not requirements, including reporting SAR filings to senior
preclude disclosure of facts that are the basis of the SAR, management and institution directors should be defined.
as long as the disclosure does not state or imply that a SAR Any additional actions, such as closer monitoring or
has been filed on the underlying information. closing of an involved account(s) that the financial
institution may wish to take should be defined in the
Recently, the safe harbor protections were reiterated and policy. Many institutions are concerned about facilitating
expanded. Section 351 of the USA PATRIOT Act, money laundering by continuing to process these
amended Section 5318(g)(3) of 31 USC and included suspicious transactions. As there is no requirement to
directors, officers, employees, and agents of the financial close an account, the institution should assess each

DSC Risk Management Manual of Examination Policies 8.1-47 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
situation and provide corresponding guidance on this area Nations and other international mandates. Sanctions can
in its policy. If the financial institution does plan to close include one or more of the following:
an account that is under investigation by law enforcement,
then the institution should notify law enforcement of its • Blocking of assets,
intent to close the account. • Trade embargoes,
• Prohibition on unlicensed trade and/or financial
SAR Database transactions,
• Travel bans, and
If examiners need specific SAR filing information, they • Other financial and commercial prohibitions.
should contact their Regional SACM or other designees.
These specially designated individuals have access to the A complete list of countries and other specially-designated
FinCEN computer system and the database containing targets that are currently subject to U.S. sanctions and a
records of SAR filings. The database contains information detailed description of each order can be found on the
from SARs filed by all federally insured financial Treasury website.
institutions. The database is maintained according to the
numbered reporting fields in the SAR form, so information OFAC Applicability
can be searched, for example, by suspect, type of violation,
or location. OFAC regulations apply to all U.S. persons and entities,
including financial institutions. As such, all U.S. financial
Under current guidance, examiners should obtain a listing institutions, their branches and agencies, international
or copies of the SARs filed in the current and previous two banking facilities, and domestic and overseas branches,
years by a financial institution for pre-examination offices, and subsidiaries must comply with OFAC
planning purposes. Additional searches may be requested sanctions.
as needed, such as to identify whether a SAR has been filed
for suspicious activity discovered during the examination,
Blocking of Assets, Accounts,
or to obtain information about additional SAR filings on a
particular suspect or group of transactions. and Transactions

For additional guidance on obtaining SAR data, refer to the OFAC regulations require financial institutions to block
detailed instructions provided within the “Currency and accounts and other assets and prohibit unlicensed trade and
Banking Retrieval System” discussion within the financial transactions with specified countries. Assets and
“Financial Crimes Enforcement Network Reporting and accounts must be blocked when that property is located in
Recordkeeping Requirements” section of this chapter. the U.S., or is held by, possessed by, or under the control
of U.S. persons or entities. The definition of assets and
property can include anything of direct, indirect, present,
future, and contingent value. Since this definition is so
OFFICE OF FOREIGN ASSETS CONTROL broad, it can affect many types of products and services
provided by financial institutions.
The Treasury’s Office of Foreign Assets Control
administers laws that impose economic and trade sanctions
OFAC regulations also direct that prohibited accounts of
based on foreign policy and national security objectives.
and transactions with SDNs and Blocked Persons need to
Sanctions have been established against various entities
be blocked or rejected. Generally, U.S. financial
and individuals such as targeted foreign countries,
institutions must block or freeze funds that are remitted by
terrorists, international narcotics traffickers, and those
or on behalf of a blocked individual or entity, are remitted
engaging in activities relating to the proliferation of
to or through a blocked entity, or are remitted in
weapons of mass destruction. Collectively, such
connection with a transaction in which a blocked entity has
individuals and companies are called Specially Designated
an interest. For example, a financial institution cannot
Nationals (SDNs) and Blocked Persons.
send a wire transfer to a blocked entity; once a payment
order has been received from a customer, those funds must
OFAC acts under Presidential wartime and national
be placed in an account on the blocked entity’s behalf. The
emergency powers, in addition to authority granted by
interest rate must be a commercially reasonable rate (i.e., at
specific legislation. OFAC has powers to impose controls
a rate currently offered to other depositors with similar
on transactions and to freeze foreign assets under U.S.
deposit size and terms). Customers cannot cancel or
jurisdiction. Sanctions can be specific to the interests of
amend payment orders on blocked funds after the U.S.
the U.S.; however, many sanctions are based on United

Bank Secrecy Act (12-04) 8.1-48 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
financial institution has received the order or the funds in OFAC frequently publishes updates to its list of SDNs and
question. Once these funds are blocked, they may be Blocked Persons. This list identifies individuals and
released only by specific authorization from the Treasury. companies owned or controlled by, or acting for or on
Full guidelines for releasing blocked funds are available on behalf of, targeted countries. It also includes those
the OFAC website. Essentially, either the financial individuals, groups, and entities, such as terrorists and
institution or customer files an application with OFAC to narcotics traffickers designated under programs that are not
obtain a license or authorization to release the blocked country-specific. OFAC adds and removes names as
funds. necessary and appropriate and posts those updates to its
website. The Special Activities Section in Washington
Rejected transactions are those that are to be stopped D.C. notifies FDIC-supervised institutions that updates to
because the underlying action is prohibited and cannot be the SDN and Blocked Persons List are available through
processed per the sanctions program. Rejected Financial Institution Letters.
transactions are to be returned to the sending institution.
Transactions include, but are not limited to, the following: Maintaining an updated SDN and Blocked Persons list is
essential to an institution’s compliance with OFAC
• Cash deposits; regulations. It is important to remember that outstanding
• Personal, official, and traveler’s checks; sanctions can and do change and names of individuals and
• Drafts; entities are added to the list frequently. Financial
• Loans; institutions should establish procedures to ensure that its
• Obligations; screening information is up-to-date to prevent accepting,
• Letters of credit; processing, or facilitating illicit financial transactions and
• Credit cards; the potential civil liability that may result.
• Warehouse receipts;
• Bills of sale; Financial Institution Responsibilities – OFAC
• Evidences of title; Programs and Monitoring Systems
• Negotiable instruments, such as money orders;
• Trade acceptances; Financial institutions are subject to the prohibitions and
• Wire transfers; reporting required by OFAC regulations; however, there
• Contracts; are not any regulatory program requirements for
• Trust assets; and compliance. Neither OFAC nor Federal financial
• Investments. institution regulators have established laws or regulations
dictating what banking records must be screened for
matches to the OFAC list, or how frequently reviews
OFAC Reporting Requirements should be performed. A violation of law occurs only when
the institution conducts a blocked or rejected transaction,
OFAC imposes reporting requirements for blocked regardless of whether the financial institution is aware of it.
property and blocked or rejected transactions. OFAC does Additionally, institutions that fail to block and report a
not take control of blocked or rejected funds, but it does transfer (which is subsequently blocked by another bank)
require financial institutions to report all blocked property may be subject to adverse publicity, fines, and even
to OFAC annually by September 30th. Additionally, criminal penalties.
financial institutions must notify OFAC of blocked or
rejected transactions within 10 days of their occurrence. OFAC has the authority to assess CMPs for any sanction
violation, and these penalties can be severe. Over the past
When an institution identifies an entity that is an exact several years, OFAC has had to impose millions of dollars
match, or has many similarities to a subject listed on the in CMPs involving U.S. financial institutions. The
SDN and Blocked Persons List, the institution should majority of these fines resulted from institution’s failure to
contact OFAC Compliance at 1-800-540-6322 for block illicit transfers when there was a reference to a
verification. Unless a transaction involves an exact match, targeted country or SDN. While the maximum penalties
it is recommended that the institution contact OFAC are established by law, OFAC will consider the Federal
Compliance before blocking assets. banking regulator’s most recent assessment of the financial
institution’s OFAC compliance program as one of the
Issuance of OFAC Lists mitigating factors for determining any penalty. In addition,
OFAC can pursue criminal penalties if there is any
evidence of criminal intent on the part of the financial

DSC Risk Management Manual of Examination Policies 8.1-49 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
institution or its employees. Criminal penalties provide for • Methods for conveying timely OFAC updates
imprisonment up to 30 years and fines ranging up to $10 throughout the financial institution, including offshore
million. locations and subsidiaries;
• Procedures for handling and reporting prohibited
Furthermore, financial institutions are not permitted to OFAC transactions;
transfer responsibility for OFAC compliance to • Guidance for SAR filings on OFAC matches, if
correspondent banks or a contracted third party, such as a appropriate, such as when criminal intent or terrorist
data processing service provider. Each financial institution activity is involved;
is responsible for every transaction occurring by or through • Internal review or audit of the OFAC processes in
its systems. If a sanctioned transaction transverses several each affected department; and
U.S. financial institutions, all of these institutions will be • Training for all appropriate employees, including
subject to the same civil or criminal action, with the those in offshore locations and subsidiaries.
exception of the financial institution that blocked or
rejected the transaction, as appropriate. Departmental and product risk assessments are
fundamental to a sound OFAC compliance program.
Examination Considerations These assessments allow institution management to ensure
appropriate focus on high-risk areas, such as correspondent
Financial institutions should establish and maintain banking activities and electronic funds transfers. An
effective OFAC programs and screening capabilities in effective program will filter as many transactions as
order to facilitate safe and sound banking practices. It is possible through OFAC’s SDN and Blocked Persons List,
not the examiner’s primary duty to identify unreported whether they are completed manually or through the use of
accounts or transactions within an institution. Rather, a third party software program. However, when evaluating
examination procedures should focus on evaluating the an institution’s compliance program, examiners should
adequacy of an institution’s overall OFAC compliance consider matters such as the size and complexity of the
program and procedures, including the systems and institution. Adequate compliance procedures can and
controls in place to reasonably assure accounts and should be targeted to transactions that pose the greatest risk
transactions are blocked and rejected. to an institution. Some transactions may be difficult to
capture within a risk-focused compliance program. For
In reviewing an institution’s OFAC compliance program, example, a customer could write a personal check to a
examiners should evaluate the operational risks the blocked entity; however, the only way the financial
financial institution is willing to accept and determine if institution that the check is drawn upon could block those
this exposure is reasonable in comparison with the business funds would be if it reviewed the payee on each personal
type, department or product, customer base, and cost of an check, assuming the information is provided and legible.
effective screening program for that particular institution, Under current banking practices, this would be costly and
based on its risk profile. time consuming. Most financial institutions do not have
procedures for interdicting these transactions, and, yet, if
The FDIC strongly recommends that each financial such a transaction were to be processed by a U.S. financial
institution adopt a risk-focused, written OFAC program institution, it is a violation of OFAC regulations and could
designed to ensure compliance with OFAC regulations. An result in CMPs against the bank.
effective OFAC program should include the following:
However, if a financial institution only screens its wire
• Written policies and procedures for screening transfers through the OFAC SDN and Blocked Persons
transactions and new customers to identify possible List and never screens its customer database, that is a much
OFAC matches; higher and, likely, unacceptable risk for the financial
• Qualified individual to monitor compliance and institution to assume in relation to the time and expense to
oversee blocked funds; perform such a review. Particular risk areas that should be
• OFAC risk-assessment for various products and screened by all financial institutions include:
departments within the financial institution;
• Guidelines and internal controls to ensure the periodic • Incoming and outgoing electronic transactions, such as
screening of all existing customer accounts; ACH;
• Procedures for obtaining and maintaining up-to-date • Funds transfers, including message or instruction
OFAC lists of blocked countries, entities, and fields;
individuals; • Monetary instrument sales; and

Bank Secrecy Act (12-04) 8.1-50 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Account beneficiaries, signors, powers of attorney, compliance program is considered inadequate, an apparent
and beneficial owners. violation of Part 326.8(b)(1) of the FDIC’s Rules and
Regulations should also be cited.
As mentioned previously, account and transaction
screening may be done manually, or by utilizing computer Example 1
software available from the Treasury website or other third
party vendors. In fact, many institutions have outsourced An examiner is conducting a BSA review at Urania Bank,
this function. If automated, OFAC offers the SDN list in a a $100 million dollar financial institution in El Paso,
delimited file format file that can be imported into some Texas. The examiner identifies a systemic violation
software programs. Commercial vendors also offer several because the financial institution has not filed CTRs on cash
OFAC screening software packages with various purchases of monetary instruments. This is an apparent
capabilities and costs. If an institution utilizes an violation of 31 CFR 103.22(b)(1). The examiner also
automated system to screen accounts and transactions, identifies a complete failure to scrub the institution’s
examiners should ensure that the institution’s policies and database against 314(a) Requests. This is an apparent
procedures address the following: violation of 31 CFR 103.100(b)(2). In addition, the
examiner identifies numerous incomplete CTRs in apparent
• OFAC updates are timely; violation of 31 CFR 103.27(d). Because of the internal
• OFAC verification can be and is completed in a control inadequacies, the examiner also cites an apparent
reasonable time; violation of Section 326.8(c)(1). The examiner further
• Screening is completed by all of bank departments and determines that the problems are sufficiently serious,
related organizations; and warranting the citation of an apparent violation of Section
• Process is reasonable in relation to the institution’s 326.8(b)(1) for failure to develop and provide for an
risk profile. adequate BSA program. After doing additional research,
the examiner determines that an apparent violation of
Wholly-owned securities and insurance subsidiaries of Section 326.8(c)(2) should also be cited for inadequate
financial institutions must also adopt an OFAC compliance independent testing that should have identified the ongoing
program tailored to meet industry specific needs. The weaknesses found by the examiner. Furthermore, the
OFAC website provides additional reference material to examiner decides that an apparent violation of Section
these industries concerning compliance program content 326.8(c)(4) should be cited for inadequate training.
and procedures. Employees are given cursory BSA training each year;
however, no training exists for appropriate identification of
OFAC maintains current information and FAQs on its cash activity and adequate CTR filings. The examiner also
website. For any questions, OFAC encourages financial determines that an apparent violation of Section
institutions to contact its Compliance Hotline at 800-540- 326.8(c)(3) is appropriate because the BSA officer at
6322 (7:30am-6:00pm, weekdays). Urania Bank comes in only two days per week. This is
clearly inadequate for a financial institution of this size and
complexity, as exhibited by the systemic BSA problems.
In addition to fully addressing these deficiencies in the
EXAMPLES OF PROPER CITATION OF
Violations and Risk Management sections of the Report of
APPARENT VIOLATIONS OF Examination, the Examiner-In-Charge fully details the
BSA-RELATED REGULATIONS IN THE findings, weaknesses, and management responses on the
REPORT OF EXAMINATION Examiner Comments and Conclusions pages.

The situations depicted in the examples below are intended Example 2

to provide further clarification on when and how to cite
apparent violations of the BSA and implementing Examiners at Delirium Thrift, a $500 million financial
regulations, within the context of findings that are typical institution in Southern California, begin the BSA review by
for BSA reviews conducted during regular Safety & requesting the wire transfer log for incoming and outgoing
Soundness examinations. As is often the case, deficiencies transactions. Information being obtained by the institution
identified within an institution’s BSA compliance policies for the outgoing wire transfers is identified as inadequate.
and procedures may lead to the citation of one or more Consequently, the examiners cite an apparent violation of
apparent violations. The identification of numerous and/or 31 CFR 103.33(g)(1). Additional research reveals that
severe deficiencies may indicate an ineffective and deficiencies in the wire log information are attributed to
inadequate program. When an institution’s BSA several branch locations that are failing to provide

DSC Risk Management Manual of Examination Policies 8.1-51 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
sufficient information to the wire transfer department. and report suspicious activities and, therefore, cites an
Because the deficiencies are isolated to transactions apparent violation of Section 326.8(b)(1).
originating in a few locations, examiners determine that the
deficiencies are not systemic and the overall program The examples below provide examiner guidance for
remains effective. However, because it is evident in preparing written comments for apparent violations of the
interviews with several branch employees that their BSA and implementing regulations. In general, write-ups
training in this area has been lacking, examiners also cite should fully detail the nature and severity of the
an apparent violation of Section 326.8(c)(4) and request infraction(s). These comments intentionally omit the
that the institution implement a comprehensive training management responses that should accompany all apparent
program that encompasses all of its service locations. violation write-ups.

Example 3 Part 326.8(b)(1) of the FDIC Rules and Regulations

Examiners at the independent BSA examination of Part 326.8(b)(1) requires each bank to “develop and
Bullwinkle Bank and Trust, Moose-Bow, Iowa, a $30 provide for the continued administration of a program
million financial institution, were provided no written BSA reasonably designed to assure and monitor compliance
policies after several requests. However, actual internal with recordkeeping and reporting requirements” of the
practices for BSA compliance were found to be fully Bank Secrecy Act, or 31 CFR 103. The regulation further
satisfactory for the size and BSA risk-level of the financial states that “the compliance program shall be written,
institution. Given the low risk profile of the institution, approved by the bank’s board of directors, and noted in the
including a nominal volume of reportable transactions minutes.”
being processed by the institution, the BSA/AML
procedures in place are sufficient for the institution. The Board and the senior management team have not
Therefore, examiners cite only an apparent violation of adequately established and maintained appropriate
Section 326.8(b)(1) for failure to develop an adequate procedures reasonably designed to assure and monitor the
written BSA compliance program that is approved by the financial institution’s compliance with the requirements of
financial institution’s board of directors. the BSA and related regulations. This assessment is
evidenced by the weak internal controls, policies, and
Example 4 procedures as identified at this examination. Furthermore,
the Board and senior management team have not made a
Appropriately following pre-examination scoping reasonable effort to assure and monitor compliance with
requirements, examiners obtain information from their recordkeeping and reporting requirements of the BSA. As
Regional SACM or other designees on previous SAR a result, apparent violations of other sections of Part 326.8
filings relating to money laundering. Upon arrival at of the FDIC Rules and Regulations and 31 CFR 103 of the
Mission Achievement Bank, Agana, Guam, a $250 million U.S. Treasury Recordkeeping Regulations have been cited.
financial institution with overseas branches, examiners
determine that several of the accounts upon which money Part 326.8(b)(2) of the FDIC Rules and Regulations
laundering SARs had been previously filed are still open
and evidencing ongoing money laundering activity. Part 326.8(b)(2) states that each bank must have a
However, the financial institution has failed to file customer identification program to be implemented as part
subsequent SARs on this continued activity in these of the BSA compliance program.
accounts and/or the parties involved. Consequently, the
examiner appropriately cites apparent violations of Section Management has not provided for an adequate customer
353.3(a) of the FDIC Rules and Regulations for failure to identification program. Current policy requirements do not
file SARs on this ongoing activity. Further analysis meet the minimum provisions for a customer identification
identifies that the failure to appropriately monitor for program, as detailed in 31 CFR 103. Current policies and
suspicious or unusual transactions in its high-risk accounts practices require no documentation for new account
and subsequently file SARs is a systemic problem at the openings on the Internet with the exception of a
financial institution. Because of the institution-wide “verification e-mail” sent out confirming that the signer
problem, the examiner cites an apparent violation of wants to open the account. Signature cards are mailed off-
Section 326.8(c)(1) for inadequate internal controls. site to the Internet customer, who signs them and mails
Furthermore, after consultation with the Regional SACM, them back without any evidence of third-party verification,
the examiner concludes that the institution’s overall BSA such as notary seal. Based on the risk of these types of
program is inadequate because of the failures to identify accounts, this methodology for verification is clearly

Bank Secrecy Act (12-04) 8.1-52 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
inadequate to meet regulatory requirements and sound
customer due diligence. Part 326.8(c)(3) states that the compliance program shall
designate an individual or individuals responsible for
Part 326.8(c)(1) of the FDIC Rules and Regulations coordinating and monitoring day-to-day compliance.

Part 326.8(c)(1) states, in part, that the compliance The board of directors has named Head Teller Ben Bison
program shall, at a minimum, provide for a system of as the BSA officer. While Mr. Bison has a basic
internal controls to assure ongoing compliance. understanding of CTR filing, he does not have any training
on detecting and reporting suspicious activity.
Management has not provided for an adequate system of Furthermore, Ben Bison does not have policy-making
internal controls to assure ongoing compliance. Examiners authority over the BSA function. Management needs to
identified the following internal control deficiencies: appoint someone with policy-making authority as the
institution’s BSA Officer.
• Incomplete BSA and AML policies for a bank with a
high-risk profile. Part 326.8(c)(4) of the FDIC Rules and Regulations
• Insufficient identification systems for CTR reporting.
• Late CTR filings. Part 326.8(c)(4) states that the compliance program shall
• Insufficient reporting mechanisms for identification of provide training for appropriate personnel.
structured transactions and other suspicious activity.
• Weak oversight over high-risk customers. Example 1:
• Insufficient customer identification program and
customer due diligence. While BSA training programs are adequate, management
has trained less than half of the appropriate operational
Due to the financial institution’s high-risk profile, personnel during the last calendar year. Management must
management should go beyond minimum CIP requirements ensure that all appropriate personnel, including the board
and do a sufficient level of due diligence that provides for of directors and officers, receive adequate BSA training a
a satisfactory evaluation of the customer. Management minimum of once per year and ongoing for those whose
must provide for adequate reporting mechanisms to duties require constant awareness of the BSA requirements.
identify large cash transactions as well as suspicious
activity. Timely completion and review of appropriate Example 2:
reports, in conjunction with a sufficient level of due
diligence, should allow for the accurate and timely BSA training needs improvement. While regular BSA
reporting of CTRs and SARs. training sessions are developed and conducted for branch
operations personnel, the training programs do not address
Part 326.8(c)(2) of the FDIC Rules and Regulations internal BSA policies and, more importantly, BSA and
anti-money laundering regulations. Management must
Part 326.8(c)(2) states that the compliance program shall ensure that comprehensive BSA training is provided to all
provide for independent testing for compliance to be directors, officers, and appropriate operational personnel.
conducted by an outside party or bank personnel who have Training should be provided at least annually, and must be
no BSA responsibility or oversight. ongoing for those whose duties require constant awareness
of BSA requirements. The training must be commensurate
The financial institution’s BSA policies provide for with the institution’s BSA risk-profile and provide specific
independent testing. However, the financial institution has employee guidance on detecting unusual or suspicious
not received an independent review for over three years. transactions beyond the detection of cash structuring
An annual review of the BSA program should be transactions.
completed by a qualified independent party. This review
should incorporate all of the high-risk areas of the Part 353.3 of the FDIC Rules and Regulations and 31
institution, including cash-intensive accounts and C.F.R. 103.18
transactions, sales and purchases of monetary instruments;
customer exemption list; electronic funds transfer Part 353.3(a) and 31 C.F.R. 103.18 state, in part, that
activities, and compliance with customer identification Suspicious Activity Reports (SARs) should be filed when:
procedures.
• Insider abuse is involved in any amount;
Part 326.8(c)(3) of the FDIC Rules and Regulations

DSC Risk Management Manual of Examination Policies 8.1-53 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
• Transactions aggregating $5,000 or more when the from February through May of 20XX were filed between
suspect can be identified; 65 days and 82 days of the initial detection of the activity.
• Transactions aggregating $25,000 or more when the Management must ensure that suspicious activity reports
suspect can not be identified; and are not only identified, but also filed in a timely manner.
• Transactions aggregating $5,000 or more that involve
money laundering or violations of the BSA… if the Part 353.3(f) of the FDIC Rules and Regulations
bank knows, suspects, or has reason to suspect that:
o The transaction involves funds derived from Part 353.3(f) of the FDIC Rules and Regulations states that
illegal activities, bank management must promptly notify its board of
o The transaction is designed to evade BSA directors, or a committee thereof, of any report filed
reporting requirements, or pursuant to Part 353 (Suspicious Activity Reports).
o The transaction has no business or apparent
lawful purpose or is not the sort of Management has not properly informed the board of
transaction in which the particular customer directors of SARs filed to report suspicious activities. The
would normally be expected to engage, and management team has provided the board with erroneous
the bank knows of no reasonable explanation reports showing that the bank has filed SARs, when, in
for the transaction after examining the fact, the management team never did file such SARs.
available facts, including the background and Board and committee minutes clearly indicate a reliance on
possible purpose of the transaction. these reports as accurate.

Management failed to file SARs on several different 31 C.F.R. 103.22(c)(2)

deposit account customers, all of which appeared to be
structuring cash deposits to avoid the filing of CTRs. This section of the Financial Recordkeeping Regulations
These transactions all appeared on large cash transaction requires the bank to treat multiple transactions totaling
reports reviewed by management; however, no one in the over $10,000 as a single transaction.
institution researched the transactions or filed SARs on the
incidents. Management must file SARs on the following Management’s large cash aggregation reports include only
customer transactions and appropriately review suspicious those cash transactions above $9,000. Because of this
activity and file necessary SARs going forward. weakness in the reporting system’s set-up, the report failed
to pick up transactions below $9,000 from multiple
Account Number Dates Total Cash Deposited accounts with one owner. The following transactions were
123333 02/20/xx-02/28/xx $50,000 identified which should have been aggregated and a CTR
134445 03/02/xx-03/15/xx $32,300 filed. Management needs to alter or improve their system
448832 01/05/xx-03/10/xx $163,500 in order to identify such transactions.
878877 03/10/xx-03/27/xx $201,000
Customer Name Date Amount
Part 353.3(b) of the FDIC Rules and Regulations and Account #
31 C.F.R. 103.18(b)(3) Mini Meat Market
122222222 12/12/xx $8,000
Part 353.3(b) of the FDIC Rules and Regulations and 31 122233333 12/12/xx $4,000
C.F.R. 103.18(b)(3) state that a bank shall file a suspicious
activity report (SAR) no later than 30 calendar days after 122222222 12/16/xx $6,000
the date of initial detection of facts that may constitute a 122233333 12/16/xx $5,000
basis for filing a SAR. In no case shall reporting be
delayed more than 60 calendar days after the date of initial Claire’s Club Sandwiches
detection. a/k/a Claire’s Catering
15555555 12/22/xx $4,000
Management and the board have failed to file several 17777777 12/22/xx $7,000
hundred SARs within 30 calendar days of the initial 17777788 12/22/xx $3,000
detection of the suspicious activity. The BSA officer failed
to file any SARs for the time period of June through 31 C.F.R. 103.22(d)(6)(i)
August 20XX. This information was verified through use
of the FinCEN database, which showed than no SARs had This section of the Financial Recordkeeping regulation
been filed during that time period. In addition, SARs filed states that a bank must document monitoring of exempt

Bank Secrecy Act (12-04) 8.1-54 DSC Risk Management Manual of Examination Policies
Federal Deposit Insurance Corporation
BANK SECRECY ACT, ANTI-MONEY LAUNDERING,
AND OFFICE OF FOREIGN ASSETS CONTROL Section 8.1
person transactions. Management must review exempt identification number or number and country of issuance of
accounts at least one time per year and must document any government-issued documentation.
appropriate monitoring and review of each exempt
account. The financial institution’s policies and programs require
that all employees obtain minimum customer identification
Management has exempted three customers, but has failed information; however, accounts in the Vermont Street
to document monitoring of their accounts. Management Branch have not been following minimum account opening
has stated that they did monitor the account transactions standards. Over half of the accounts opened at the
and no suspicious activity appears evident; however, Vermont Street Branch since October 1, 2003, when this
management must retain appropriate documentation for all regulation came into effect, have been opened without tax
account monitoring of exempt customers. Such monitoring identification numbers or similar personal identification
documentation could include, but is not limited to: number for non-U.S. citizens. Management must ensure
that BSA policies and regulations are followed throughout
• Reviews of exempt customers cash transactions, the institution and verify through BSA officer reviews and
• Review of monthly statements and monthly activity, independent reviews that requirements are being met.
• Interview notes with account owners or visitation
notes from reviewing the place of business,
• Documenting changes of ownership, or WEB-SITE REFERENCES
• Documenting changes in amount, timing, or type of
transaction activity. Financial Crimes Enforcement Network (FinCEN):
www.fincen.gov
31 C.F.R. 103.27(a)
FinCEN Money Services Businesses:
This section of the Financial Recordkeeping regulation www.msb.gov
requires the financial institution to retain all Currency
Transaction Reports for five years. Financial Action Task Force:
www.oecd.org/fatf
Management failed to keep copies of all of the CTRs filed
during the past five years. Management can locate CTRs Office of Foreign Assets Control:
filed for the past two years but has not consistently retained www.ustreas.gov/offices/eotffc/ofac
CTR copies for the three years preceding. Management
needs to make sure that its record-keeping systems allow
for the retention and retrieval of all CTRs filed for the
previous five year time period.

31 C.F.R. 103.27(d)

This section of the Financial Recordkeeping regulation

requires the financial institution to include all appropriate
information required in the CTR.

Management has consistently failed to obtain information

on the individual conducting the transaction unless that
person is also the account owner. This information is
required in the CTR and must be completed. Since this is a
systemic failure, management needs to ensure proper
training is provided to tellers and other key employees to
ensure that this problem is corrected.

31 C.F.R. 103.121(b)(2)(i)(A)(4)(ii)

This section of the Financial Recordkeeping regulation

states that the financial institution must obtain a tax

DSC Risk Management Manual of Examination Policies 8.1-55 Bank Secrecy Act (12-04)
Federal Deposit Insurance Corporation