BSA: The Five Pillars

BSA and OFAC together carry significant weight on this exam, and they're the bridge between bank compliance and financial-crime work. The Bank Secrecy Act, at thirty-one U-S-C fifty-three eleven and implemented in thirty-one C-F-R Chapter Ten, requires financial institutions to help the government detect and deter money laundering and terrorist financing. FinCEN, the Financial Crimes Enforcement Network, administers it.

The USA PATRIOT Act, passed after September eleventh, significantly expanded these obligations, adding customer-identification and enhanced due-diligence requirements. Think of the B-S-A as the recordkeeping-and-reporting backbone that makes the financial system transparent to law enforcement. The exam tests your grasp of the program a bank must build to comply.

The CRCM outline names the five pillars of a B-S-A program directly, so know them cold. One: a designated B-S-A compliance officer, a specific person accountable for the program. Two: a system of internal controls, the policies and procedures that govern day-to-day compliance.

Three: ongoing training for appropriate staff. Four: independent testing, an audit of the program by someone independent of the function. And five, added by the FinCEN rule: customer due diligence, including understanding the nature and purpose of customer relationships and identifying beneficial owners.

The first four are sometimes called the four pillars; the fifth, C-D-D, completes the modern set. The exam may give you a program weakness and ask which pillar is missing. A helpful way to diagnose a scenario: if no one is clearly in charge, that's the officer pillar; if there are no written rules or transaction limits, that's internal controls; if staff don't know the red flags, that's training; if the program is never independently checked, that's independent testing; and if the bank doesn't understand who its customers are or what they're doing, that's customer due diligence.

Map the symptom to the pillar, and the question answers itself.

Within the program sits the Customer Identification Program, the C-I-P, required by the PATRIOT Act. When opening an account, a bank must collect minimum identifying information, the customer's name, date of birth for individuals, a physical address, and an identification number such as a Social Security or taxpayer ID. The bank must then verify the customer's identity using documentary or non-documentary methods, on a risk basis, and check the customer against government lists of known or suspected terrorists.

The C-I-P must be in writing and part of the broader B-S-A program. The exam may test the minimum data elements or the requirement to verify identity within a reasonable time. C-I-P is the front door of the program.

The fifth pillar, customer due diligence, is codified in the FinCEN C-D-D Rule at thirty-one C-F-R ten ten point two-three-zero. It requires banks to understand the nature and purpose of customer relationships to develop a risk profile, and to conduct ongoing monitoring to spot and report suspicious activity and keep customer information current. A signature piece is beneficial-ownership: when a legal-entity customer like a company opens an account, the bank must identify and verify the individuals who own twenty-five percent or more of the entity and one individual who controls it.

Higher-risk customers warrant enhanced due diligence, deeper scrutiny. The exam tests the beneficial-ownership thresholds and the link between C-D-D and suspicious-activity detection.

A B-S-A program must be risk-based, scaled to the size, complexity, and risk profile of the institution, a community bank's program looks different from a global bank's. The board of directors approves the program and oversees it, and the B-S-A officer reports to the board or a designated committee, which preserves independence and authority. Federal regulators examine the program using the F-F-I-E-C B-S-A slash A-M-L Examination Manual, the public reference that, by the way, is one of AMLReady's sources.

This governance structure ties B-S-A directly into the compliance-management domain we'll cover later. On the exam, remember that board approval and an empowered, independent B-S-A officer are non-negotiable program features. It's also worth distinguishing the B-S-A officer from the broader compliance officer role we'll study in the management domain: the B-S-A officer specifically owns the anti-money-laundering program, has the authority and resources to run it, and reports independently to the board, which protects them from pressure to look the other way.

When a fact pattern shows a B-S-A officer with no authority, no budget, or no board access, that's a governance failure the exam wants you to flag, regardless of how good the bank's monitoring software might be.

Recap of the B-S-A foundation. The Bank Secrecy Act, administered by FinCEN under thirty-one C-F-R Chapter Ten, requires a risk-based program built on five pillars: a designated B-S-A officer, internal controls, training, independent testing, and customer due diligence. The Customer Identification Program verifies identity at account opening.

C-D-D builds a risk profile, monitors ongoing activity, and identifies beneficial owners at the twenty-five-percent threshold. The board approves and oversees it all. Go test yourself, then we'll cover the reporting side: S-A-Rs, C-T-Rs, and recordkeeping.