Federal Financial Institutions Examination Council (FFIEC)

 Bank Secrecy Act/Anti-Money Laundering Examination Handbook

This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA) /Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations. An effective BSA/AML compliance program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of BSA/AML compliance program requirements, BSA/AML risks and risk management expectations, industry sound practices, and examination procedures. The development of this manual was a collaborative effort of the federal banking agencies1 and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, to ensure consistency in the application of the BSA/AML requirements. In addition, OFAC assisted in the development of the sections of the manual that relate to OFAC reviews. Refer to Appendices A ("BSA Laws and Regulations"), B ("BSA/AML Directives"), and C ("BSA/AML References") for guidance.

 Introduction, Core Overviews and Procedures, Bank Secrecy Act/Anti-Money Laundering Examination Manual

This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA) /Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations. An effective BSA/AML compliance program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of BSA/AML compliance program requirements, BSA/AML risks and risk management expectations, industry sound practices, and examination procedures. The development of this manual was a collaborative effort of the federal banking agencies1 and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, to ensure consistency in the application of the BSA/AML requirements. In addition, OFAC assisted in the development of the sections of the manual that relate to OFAC reviews. Refer to Appendices A ("BSA Laws and Regulations"), B ("BSA/AML Directives"), and C ("BSA/AML References") for guidance.

 Expanded Overviews and Procedures - Bank Secrecy Act/Anti-Money Laundering Examination Manual

Objective: Assess the organization's enterprise-wide program for BSA/AML compliance through the holding company or lead financial institution.

Similar to the approach to consolidated credit, market, and operational risk, effective control of BSA/AML risk may call for coordinated risk management. An enterprise-wide BSA/AML compliance program coordinates the specific regulatory requirements throughout an organization inside a larger risk management framework. Such frameworks seek a consolidated understanding of the organization's risk exposure to money laundering and terrorist financing across all activities, business lines, or legal entities. For example, the holding company or lead financial institution may have a centralized function to evaluate BSA/AML risk; this may include the ability to understand world-wide exposure to a given customer, particularly those considered high¬risk or suspicious, consistent with applicable laws.

Many organizations, typically those that are larger or more complex and that may include international operations, implement an enterprise-wide BSA/AML compliance program that manages risks in an integrated fashion across affiliates, business lines, and risk types (e.g., reputation, compliance, or transaction). Some larger or more complex organizations may decide to manage their risks by developing enterprise-wide approaches to their BSA/AML compliance program. Such programs manage risk at both operational and strategic levels.

 Appendicies - Bank Secrecy Act/Anti-Money Laundering Examination Manual

The following is a list of the appendices from the Bank Secrecy Act/Anti-Money Laundering Examination Manual.

> Read the entire appendicies here - PDF

Appendix A: BSA Laws and Regulations (2006)
Appendix B: BSA/AML Directives
Appendix C: BSA/AML References (2006)
Appendix D: Statutory Definition of Financial Institution
Appendix E: International Organizations
Appendix F: Money Laundering and Terrorist Financing "Red Flags" (2006)
Appendix G: Structuring
Appendix H: Request Letter Items (2006)
Appendix I: Risk Assessment Link to the BSA/AML Compliance Program
Appendix J: Quantity of Risk Matrix
Appendix K: Customer Risk versus Due Diligence and Suspicious Activity Monitoring
Appendix L: SAR Quality Guidance
Appendix M: Quantity of Risk Matrix — OFAC Procedures
Appendix N: Private Banking — Common Structure
Appendix O: Examiner Tools for Transaction Testing
Appendix P: BSA Record Retention Requirements (2006)
Appendix Q: Acronyms (2006)

 Agencies Release Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual

The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (manual). The revised manual reflects the ongoing commitment of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The manual has been updated to further clarify supervisory expectations and incorporate regulatory changes since the manual's 2005 release. The revisions also draw upon feedback from the banking industry and examination staff.

 Federal Financial Regulators Release Updated Information Security Booklet

The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The Information Security Booklet is one of twelve that, in total, comprise the FFIEC IT Examination Handbook. In addition to the revised Information Security Booklet, the agencies also released an Executive Summary that contains high level synopses of each of the twelve booklets and describes the handbook development and maintenance processes.

The security of financial institutions' systems and information is essential to maintaining the privacy of customer information and safe and sound operations. The Information Security Booklet describes how an institution should protect and secure the systems and facilities that process and maintain information. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs tailored to the complexity of their operations.

 FDIC to Hold Three Identity Theft Symposia

The Federal Deposit Insurance Corporation (FDIC) announced that it will hold a symposium on the importance of continued consumer confidence in e-commerce in San Francisco on June 23, 2006 at the Hyatt Regency Hotel. The half-day meetings will bring together experts from the government and private sector to discuss ways to combat on-line identity theft and help find ways to maintain public confidence in e-commerce.

The meeting will run from 7:30 a.m. to 1:00 p.m. Key note speaker Charlene Zettel, Director, California Department of Consumer Affairs will set the stage for the day's event. The first panel will focus on Ensuring Integrity in Payment Systems while the second panel will address Building Confidence by Managing Risk in E-Commerce. The third panel will address Consumer Rights and Resources in an E-Commerce World. The symposium is free of charge and open to both industry and the public participants.

 Examination Procedures for the New Regulations on Medical Information

The Federal Financial Institutions Examination Council (FFIEC) Task Force on Consumer Compliance has approved the attached examination procedures to assess compliance with the medical information regulations that became effective on April 1, 2006. The regulations implement the Protection of Medical Information provisions of the Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The new procedures are effective with the issuance of this FIL.

Highlights:

- The attached examination procedures for the medical information regulations are the first in a series of amendments to FCRA examination procedures that were released with FIL-18-2006 on February 22, 2006.

 FinCEN seeks industry input on feasibility of collection of cross-border wire transfer data

The Financial Crimes Enforcement Network today announced it is issuing a survey to banking and financial services industry trade groups seeking information about the feasibility and impact of implementing a cross-border wire transfer reporting requirement under the Bank Secrecy Act. The survey, which is required by the Intelligence Reform and Prevention Act of 2004, is part of an ongoing study into the feasibility of imposing a requirement that financial institutions to report to FinCEN records that they currently maintain concerning international wire transfers. The survey, which is required by the Intelligence Reform and Prevention Act of 2004, is part of an ongoing study into the feasibility of imposing a requirement that financial institutions report to FinCEN records that they currently maintain concerning international wire transfers. The American Bankers Association, the Institute of International Bankers, the Credit Union National Association, the Independent Community Bankers of America and representatives of major money wire services are assisting in this effort by distributing this survey to their membership.

 Information Security Booklet - OCC - FFIEC

The Federal Financial Institutions Examination Council (FFIEC) has released updated information security guidance in the form of a new Information Security Booklet. The Information Security Booklet is the first in a series of booklets that will completely update and replace the 1996 FFIEC Information Systems Examination Handbook.

Reliance on technology in all aspects of banking by bankers, consumers, and corporations has increased both the potential for, and likely impact of, security threats to national banks. Widespread adoption of effective security processes can help ensure that the banking industry maintains effective safeguards against such threats and, by doing so, helps preserve the public trust. The Information Security Booklet provides a comprehensive security framework for national banks and their technology service providers. The framework focuses on implementing a security risk management process that identifies risks, develops and implements a security strategy, tests key controls, and monitors the risk environment. This framework also stresses the important roles that senior management and boards of directors play in this process by emphasizing their responsibility to recognize security risks in their banks and to assign appropriate roles and responsibilities to their managers and employees.

 Interagency Statement on Retail On-Line PC Banking - FFIEC

This statement alerts the Board of Directors and management to some of the risks and concernsof retail on-line, personal computer banking (PC banking). Recently, the staff of the FFIECagencies organized a symposium to hear industry experts offer their thoughts and observations onthe development of retail on-line PC banking. Through this statement, the FFIEC agencies wishto impart many of the ideas discussed during the symposium to bankers and examiners.

II.EXECUTIVE SUMMARY

Financial institutions are beginning to utilize new technologies to offer innovative products andservices to their customers. On-line PC banking exemplifies an emerging delivery channel forretail banking services made possible by technology. One of the reasons for the rapid evolution ofPC banking involves the increased use of the Internet1. Regulatory agencies recognize that PCbanking offers opportunities for financial institutions to enhance customer relationships andimprove competitive positions.

Before implementing a PC banking program, management should exercise sufficient due diligenceand develop comprehensive plans. Such due diligence would ordinarily include the followingactivities.

• Review the implications of PC banking on the institution's strategic plan;
• Evaluate customer expectations and demands;
• Determine resource requirements;
• Assess the risks and required controls, particularly those related to system security;
• Evaluate internal and/or external expertise needed to support the PC banking system;
• Develop effective policies and procedures covering the program;

 FFIEC Release of Information Technology Examination Handbook

TO:All Federally-Insured Credit Unions
SUBJ:FFIEC Release of Information Technology Examination Handbook

The purpose of this letter is to inform you of revised technology-related guidance provided to examiners and the credit union industry. Earlier this year, the Federal Financial Institutions Examination Council (FFIEC1) released the Information Security Booklet – a first in a series of booklets to revise the existing 1996 FFIEC Information Systems Examination Handbook. The revised Information Technology (IT) Examination Handbook will be composed of several booklets to address significant changes in technology since 1996 and incorporates a risk-based examination approachto each booklet.

The FFIEC agencies plan to issue additional booklets covering such topics as business continuity planning, technology service providers, electronic banking, audit, payment systems, outsourcing, management, computer operations, and systems development and acquisition.

 Interagency Policy on Strategic Information Systems Planning for Financial Institutions - FFIEC

This policy issuance alerts all financial institutions to the importance of strategic information systems planning and its role in overall corporate management and planning. It identifies management's responsibilities in preparing strategic plans for their information systems requirements.

BACKGROUND

Information is a valuable corporate asset which is vital to the success of all financial institutions. The ability to remain competitive, introduce new products and services, and attain desired corporate goals often depends on the effective management of information systems technology.

Corporate level strategic planning is important in all financial institutions to effectively utilize available resources and achieve the long term goals and objectives of the organization. Strategic information systems planning is integral to the overall corporate strategic planning process and must support individual business strategies throughout the institution. The information systems strategic plan should address technology risks affecting all areas of operation, including contingency planning and disaster recovery, information security, systems and programming, computer operations, and end-user computing.

 Interagency Statement on EDP Service Contracts - FFIEC

This interagency statement alerts financial institutions to potential risks in contracting for EDP services and/or failing to properly account for certain contract provisions.

ISSUE:

Some financial institutions are entering into EDP servicing contracts that contain provisions which may adversely affect the institution. Contract provisions may include extended terms (up to ten years), significant increases in costs after the first few years, and/or substantial cancellation penalties.

In addition, some service contracts improperly offer inducements that allow an institution to retain or increase capital by deferring losses on the disposition of assets or avoiding expense recognition for current charges. Institutions experiencing earnings and capital problems are particularly attracted to these inducements.

 Agencies Release Bank Secrecy Act/Anti-Money Laundering Examination Manual

Agencies Release Bank Secrecy Act/Anti-Money Laundering Examination Manual

The Federal Financial Institutions Examination Council (FFIEC) today released the Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual). The manual’s release marks an important step forward in the effort to ensure the consistent application of the BSA to all banking organizations including commercial banks, savings associations, and credit unions.

The FFIEC BSA/AML Examination Manual was developed by the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) (collectively referred to as the federal banking agencies) in collaboration with the Financial Crimes Enforcement Network (FinCEN), the delegated administrator of the BSA. In addition, through the Conference of State Bank Supervisors, the state banking agencies played a consultative role. The Office of Foreign Assets Control collaborated on the development of core overview and examination procedures addressing compliance with regulations enforced by OFAC.

 New Call Report System Implementation

The banking agencies will implement the Central Data Repository (CDR) to process the Reports of Condition and Income (Call Reports) beginning with the third quarter 2005. This filing period begins September 30, 2005. Except for certain banks with foreign offices, data must be received by October 30, 2005. **The agencies recognize that institutions whose operations have been significantly affected by Hurricane Katrina may experience difficulty or delay in filing their third quarter Call Report. Those institutions should contact their primary regulator or the CDR help desk at 1-888-CDR-3111 for special assistance in filing third quarter Call Report data.

The CDR will require banks to validate their Call Report data before it will be accepted. To allow sufficient time to complete the new prevalidation process prior to the submission deadline, banks should start their Call Report preparation process earlier than in the past. The new prevalidation process will require banks to correct errors identified by the CDR and, where necessary, to prepare explanatory comments for data that fall outside specific parameters. These explanatory comments, which will be filed along with a bank's data, will be considered confidential.

 NCUA : Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA), in which Congress directed both NCUA and the other Federal Financial Institution Examination Council (FFIEC ) agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Banking Agencies”) to establish standards for financial institutions relating to administrative, technical, and physical safeguards to...

 FFIEC Information Technology Examination Handbook

The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance in three booklets on electronic banking (e-banking), information technology (IT) audit, and the FedLine electronic funds transfer application. These booklets are the most recent in a series that will completely update and replace the 1996 FFIEC Information Systems (IS) Examination Handbook. The work programs contained in the booklets represent expanded procedures that examiners can use if appropriate for the risk and complexity of the bank’s operations.

The Audit Booklet rescinds chapter 8, and the FedLine Booklet rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook. The E-Banking Booklet replaces the OCC Internet Banking Handbook and OCC Bulletin 98-38, “Technology Risk Management: PC Banking.”

E-Banking Booklet

This booklet reflects the OCC’s views on the risks specific to e-banking and provides bankers and examiners with guidance on those risks and the risk management issues associated with the delivery of e-banking products and services.

Banks face unique risks based on the choices they make when implementing and enhancing their e-banking services. Decisions on network Internet connectivity, outsourcing various system components, and the specific products and services affect the level of risk and the complexity of risk management. Senior management and boards of directors must understand these risks before investing in and expanding their e-banking activities. They need to integrate the e-banking-related controls into their existing strategic plan, information security program, vendor management process, and business continuity plans. Banks must have appropriate controls, testing, and expertise for all internally managed e-banking system components. In addition, banks with outsourced e-banking processes should carefully select and monitor service providers to ensure that appropriate controls exist. The bank can outsource the process or service, but remains responsible for the adequacy of the controls to ensure confidentiality, integrity, and availability.

 Electronic Record Keeping

This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems.

BACKGROUND

Federal legislation changed the legal framework for electronic records and will likely result in more banks adopting electronic record retention systems. Banks can implement electronic record retention systems in many ways to support different business processes. Some examples of possible electronic record retention systems are loan file imaging, retention of paperless applications and online agreements, and the use of electronic payment systems.

 Information Security Program

On January 17, 2001, the banking regulatory agencies adopted guidelines implementing Section 501 of the Gramm-Leach-Bliley Act (GLBA). The guidelines require financial institutions to establish a comprehensive and coordinated information security program, appropriate to the size of the bank and the complexity of its operations.

The guidelines require financial institutions to establish an information security program to: (1) identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. Each institution may implement a security program appropriate to its size and complexity and the nature and scope of its operations.

 FFIEC Bank Secrecy Act/Anti-Money Laundering InfoBase

The Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination InfoBase, which is located on the Federal Financial Institutions Examination Council's (FFIEC) Web site, has been updated. The InfoBase can be found at www.ffiec.gov/bsa_aml_infobase.

Highlights:

* On November 3, 2005, the FFIEC updated the BSA/AML Examination InfoBase, which is located on its Web site.

* The InfoBase is an automated tool for examiners and the banking industry that provides information on the FFIEC BSA/AML Examination Manual, released on June 30, 2005. The InfoBase also helps examiners and the industry to more easily use and navigate the Manual.

 Federal Financial Institutions Examination Council to Require Strong Authentication in an Internet Banking Environment

Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.