Issue #23 - April 2017

New Administration, Renewed Focus on BSA? 

By Amber Goodrich, Compliance Strategist, CSI Regulatory Compliance

On Feb. 9, his 21st day in office, President Trump released an executive order (E.O.) that essentially serves as a “call to arms” against criminal organizations, as part of his pre-election promise to restore law and order to the United States.

The E.O., Enforcing Federal Law with Respect to Transnational Criminal Organizations and Preventing International Trafficking, states, “It shall be the policy of the executive branch to strengthen enforcement of Federal law in order to thwart transnational criminal organizations and subsidiary organizations, including criminal gangs, cartels, racketeering organizations, and other groups engaged in illicit activities that present a threat to public safety and national security that are related to,” among other things, fraud, financial crime and cybercrime.

The order also calls on federal law enforcement agencies to “give a high priority and devote sufficient resources” toward that end. This could lead to heightened enforcement of the Bank Secrecy Act (BSA) and cybersecurity-related regulations. And while any new rules or regulations would take years to come to fruition, financial institutions should prepare for this possibility by taking stock of their current BSA and information security compliance programs.

A BSA List Process Recap


Beyond fulfilling mandatory Customer Due Diligence (CDD) requirements, institutions must consider how watch lists and additional government lists come into play, especially following the release of the executive order. While screening the OFAC SDN list is an enormous portion of BSA requirements, the Act also requires institutions to screen additional lists, namely 314a.

Published every two weeks by FinCEN, 314a is compiled by federal, state, local—and in some cases, foreign—governments, and lists individuals that may be involved in terrorism or money laundering activities. Financial institutions must search their transactions dating back six months from publication, and their customer lists for the preceding 12 months, to ensure they’re not conducting business with anyone on 314a. Any positive matches must then be reported to FinCEN within 2 weeks of the request date.

Prudent Steps in Reviewing Your BSA Program for 2017

In addition to ensuring the list process is up to par, institutions will want to take a look at BSA programs as a whole to ensure they are ready to stack up to the heightened scrutiny following the E.O. 

The below checklist gives your financial institution a solid foundation for ensuring your BSA program is sufficiently updated.

  • Take a good look at your program as a whole, including a review of these standard BSA components:
    • Risk Assessment
    • Internal Controls
    • Independent Testing
    • Designated BSA Officer
    • Training
  • Ensure CDD and CIP policies and procedures are up to par—especially in light of FinCEN’s CDD Final Rule, which takes effect May 11, 2018—and as a good business practice to get to know your customers.
  • Confirm monitoring systems are in place and sufficient. This means OFAC monitoring, 314a and transaction monitoring of customer accounts.
  • Focus on data integrity within the organization, and look for ways to gain a holistic view of the customer.
  • Set the tone at the top and focus on a culture of compliance. Everyone should communicate as one team—particularly the IT, cybersecurity and fraud/BSA departments—which historically have operated separately. This convergence is where the “heightened awareness” aspect of the E.O. plays out.

Exercise caution and stay up-to-date on the changing regulatory and cybersecurity environment

The Right Technologies Can Help

Just as cyber criminals increasingly employ new technologies to take over accounts and commit various types of electronic fraud, financial institutions also should implement innovative technologies to help even the score. Watch list screening solutions are available that allow users to not only automate screening for OFAC and other terrorist watch lists, but also scan their customer base against additional lists, like 314a, from the same platform.

The Truth, This is E.O. is Not Shocking

In the end, President Trump’s order comes as no surprise, since cybersecurity and related matters have remained front and center for many years. Rather, it should serve as a heads-up to financial institutions that regulatory and examiner scrutiny could fall squarely on BSA programs as the new administration marches forward.

<Back to April 2017 WIB Compliance Digest >