BSA Third Party Rules

Regulators have given financial institutions a green light for sharing Bank Secrecy Act (BSA) resources in some situations, but proper third-party vendor management practices and controls must be in place, according to a new interagency statement.

The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Financial Crimes Enforcement Network (FinCEN) clarified their position on collaboration, noting it was most appropriate for simpler, community-focused institutions with a lower risk for money laundering (AML) or terrorist financing.

For example, an institution may find it effective to borrow someone well versed in BSA/AML from another institution to conduct independent testing or combine forces to make it more cost effective to hire a BSA/AML trainer. Sharing a compliance officer is far more challenging and less likely to work, the statement says.

Managing Complaints to Achieve Better Results

Collaborating & Vendor Management

Financial institutions should treat their BSA collaborators as third-party vendors subject to all vendor management guidance. The statement specifically mentions:

Contracts. A written agreement should define:

  • the nature and type of resources to be shared.
  • each institution’s rights and responsibilities.
  • procedures for protecting customer data and other confidential information.

Risk management. Develop a framework to manage the risks of sharing resources. This includes due diligence and a full risk assessment.

Performance review. This should be reviewed by management and periodically evaluated.

Ongoing monitoring. There should be systems and resources to ensure bank management properly oversees shared resource activities.

Reporting. Senior management and the board should be given and review periodic reports about the relationship.

The Takeaway

If you’re sharing BSA/AML resources with another institution, don’t treat it as a casual exchange. Your partner is a de facto vendor. Thorough vendor management is a must.