Audit Program

Bank Secrecy Act and Anti-money Laundering

W/P DONE DATE

REF. BY

Section A - Administration

Audit Objective
Determine that the bank has developed, and administers and maintains a
program that ensures and monitors compliance with the Bank Secrecy Act
anti-money laundering regulations.

Audit Program
1. Determine that the bank has implemented a compliance program
designed to assure and monitor compliance with the recordkeeping
and reporting requirements of the Bank Secrecy Act (BSA) and its
anti-money laundering (AML) regulations. Determine that program
policies and procedures are:

Documented in writing.
Approved by the board of directors and noted in the board
minutes.
Reaffirmed annually as required by policy.
Updated to reflect changes in the law and operations.

2. Obtain and review the BSA/AML compliance program and

determine that the contents of the compliance program provide for
the following:

System of internal controls to ensure ongoing compliance.

Independent compliance testing conducted by either bank
personnel or an outside party.
Designation of a qualified individual(s) responsible for
coordinating and monitoring day-to-day compliance.
Training for appropriate personnel.

3. Determine that the bank's AML policies address the following:

The various types of money laundering.

Compliance with BSA and related AML laws and
regulations.
A "know your customer" program.
High-risk activities, businesses, and foreign countries
commonly associated with money laundering.

4. Determine that the board of directors has appointed a BSA/AML

officer.

Through discussions with the BSA/AML officer, determine

and document the duties and responsibilities assigned to
this position.
If responsibilities for compliance with various aspects of
BSA/AML have been delegated to other individuals or
departments, determine and document their role.
 Audit Program
Bank Secrecy Act and Anti-money Laundering

5. Determine that the bank provides periodic training for appropriate

personnel regarding their responsibilities under BSA/AML. Training
should include, but not be limited to, tellers, platform, lending
personnel, trust personnel, wire room, and bookkeeping personnel.

Note dates of training session performed during the audit

period and determine that the frequency of the training is
adequate and that training is ongoing.
Review documentation relevant to the scope of training
sessions and determine the adequacy of such training
based upon the targeted audience.

6. Determine that the bank retains copies of the following records for a
minimum of five years:

Cash Transaction Reports (Form 4789).

Exemption lists.
Designation of exempt persons.
Biennial filings.
Annual reviews.
Monetary instrument logs.
Report of International Transportation of Currency or
Monetary Instruments (Form 4790).

NOTE: When a customer is removed from the exempt list, the

request for exemption is to be maintained for five years after
removal from the list.

7. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section B - Customer Identification Program and Foreign Banking

Relationships

Audit Objectives
To determine compliance with Section 326 of the USA Patriot Act,
requiring financial institutions to implement a customer identification
program.
To determine compliance with foreign correspondent and private
banking relationships and information sharing.

Audit Program
Customer Identification Program (CIP)

1. Determine whether the bank has developed and implemented a

CIP for all new customers.

2. Obtain and review CIP policy/procedures. Verify compliance with

the following requirements:

Program is documented.
Program is approved by the board of directors and is
incorporated into the bank's BSA program.
Program includes identification and verification of new accounts
 Audit Program
Bank Secrecy Act and Anti-money Laundering

recordkeeping and comparison against government list of

known or suspected terrorists.

USA Patriot Act

1. Determine whether the bank maintains correspondent account
relationships with foreign banks.

If so, ensure the bank prohibits foreign shell banks from

maintaining a correspondent account.
If not, determine whether the bank's BSA/AML
policy/procedures address this area.

2. Determine whether the bank maintains private banking

accounts.

If not, determine whether the bank's BSA/AML

policy/procedures address this area.

3. Summarize results of testing and conclude as to whether the

audit objective has been met.

Section C Office of Foreign Assets Control

Audit Objective
To determine that the bank complies with the Office of Foreign
Assets Control (OFAC) regulations prohibiting specific transactions
with targeted countries and individuals or entities that are known to
be acting on behalf of targeted countries.

Audit Program
1. Determine that the bank has written policies and procedures for
complying with OFAC laws and regulations.

2. Determine who has been delegated responsibility for compliance

with OFAC and for overseeing blocked funds.

3. Determine and document the procedures for filtering transactions

for possible OFAC violations as follows:

New deposit accounts.

Established deposit accounts.
New loans.
New trust relationships.
Wire transfers.
Letters of credit.

4. Determine and document procedures for maintaining a current list

or database of blocked countries, entities, and individuals and
disseminating such information throughout the bank.

Ensure the list/database is up-to-date with foreign countries

that the United States has imposed economic sanctions.
Ensure the list/database contains specific sanctions by
each individual foreign country, with a synopsis of the types
of activities prohibited or severely limited.
 Audit Program
Bank Secrecy Act and Anti-money Laundering

Confirm the availability of the list/database to deposit,

lending, wire, and operational personnel.

5. Verify the bank rejects funds transfers that are remitted (outgoing):

By or on behalf of a blocked entity or individual.

To or through a blocked entity.
In connection with a transaction in which a blocked entity or
individual has an interest.

6. Verify that reports on rejected transactions are sent to OFAC within

10 days and include the following:

Name and address of the financial institution requesting the

transfer.
Date and amount of transfer.
Photocopy of the transfer or payment.
Reason for rejection. Name and telephone number of
compliance personnel at the bank who has knowledge of
the transaction.
Name and address of the beneficiary bank.

7. Ensure bank procedures require the following when a payment

order governed by OFAC is received (incoming):

The bank accepts the instruction.

Debits the customer's account.
Blocks the payment on the books.

NOTE: The bank may not reject the instructions and cannot accept
a customer's cancellation of the original instructions. "Suspense"
accounts should not be used. The only manner that the bank can
process a transfer related to a targeted country is if the underlying
transaction is authorized by general or specific license from OFAC.

8. Ensure that procedures require that transferred funds are blocked

and placed in interest bearing accounts that the bank maintains an
audit trail.

9. Verify that if the bank is holding blocked property, it reports to

OFAC such property within 10 business days from the date that the
property becomes blocked along with a copy of the transfer
instructions.

10. Review any reports of blocked funds remitted during the audit
period and verify the following has been provided:

Financial institution's name and address.

Identification of the property.
The owner of the account.
Property address and location.
Account number.
Value of the account.
Blocking data.
Photocopy of the transfer or payment instructions.
 Audit Program
Bank Secrecy Act and Anti-money Laundering

Confirmation that the funds have been deposited into a blocked

account. The identity of the individual or entity subject to be
blocking should be clearly identified.
Name and phone number of compliance personnel at the bank
who has knowledge of the transaction.
Date of report.

11. If blocked property is maintained, determine that an annual report of

blocked property held as of June 30 is filed with OFAC by September
30 using Form TDF 90-22.50.

12. Determine the bank releases funds from accounts that have been
blocked only with specific authorization from the U.S. Treasury
Department.

13. Determine that records relating to blocked property are retained for five
years after the date property is unblocked and are made available to
the U.S. Secretary of the Treasury upon request. All other records must
be retained for five years after the date of the transaction.

14. Determine the bank is prepared to report to OFAC complete information

relative to any transaction or property in which any foreign country or
any foreign national has any interest in, including books of accounts,
contracts, letters, or other papers connected with any such transaction.

15. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section D - Funds Transfers

Audit Objective
To determine that procedures are in place to ensure compliance with
recordkeeping requirements for funds transfers in the amount of U.S. $3000
or more.

Audit Program
Suspicious Funds Transfer Monitoring

1 Determine and document the procedures in place to monitor for

accounts with frequent cash deposits and subsequent wire
transfers of funds to a larger institution or out of the country.

2. Determine and document the procedures in place to monitor funds

transfer activity for unusual patterns that might not be consistent
with the nature of the business or occupation of the customer.
Ensure written procedures have been developed, and include the
following in your review:

The method for capturing the data to be analyzed manual

or automated.
The frequency at which the captured data is compiled and
submitted to the BSA officer for review. Include the scope of
the BSA officer's review and action taken when unusual
patterns are identified that require additional research (e.g.,
additional research of customer activity, knowledge of
 Audit Program
Bank Secrecy Act and Anti-money Laundering

customers' business, involvement of account officer, or

suspicious activity reporting.)

3. Determine that the wire transfer database used for analysis by the
BSA officer is complete.

If the process is manual, select a sample of wire transfers

(incoming and outgoing) from the wire transfer request forms
and ensure the wires were properly entered into the manual
database.
If the process is automated, select a sample of wire transfers
(incoming and outgoing) to ensure system interfaces are
working properly.

4. Review the BSA officer's periodic analysis of wire transfer activity.

Discuss with the BSA officer the nature of the analysis performed,
and ensure it considers, at a minimum, the following red flags:

A high volume of international wire activity processed by the

bank.
Customers sending/receiving high volumes of wires, both
domestic and international.
Customers sending/receiving wires from foreign/unregulated
money exchange houses.
Customers sending/receiving wires from non-cooperative
countries.
Noncustomer activity, including pay-upon-proper-IDs.
Unusual wire activity, such as customers receiving small
dollar wires followed by large outgoing wires.
High volume of wires for whole dollar amounts.

5. Review the results of the BSA officer's monitoring procedures and

ensure monitoring is adequately documented and contains
evidence of appropriate research. In addition, ensure that
conclusions are well documented and that SARs are filed, if
appropriate.

6. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section E - Filing of Currency Transaction Reports (CTRs) and

Currency and Monetary Instrument Reports

Audit Objective
To determine that adequate procedures are in place to ensure the
identification and reporting of currency transactions greater than U.S.
$10,000 to the U.S. Internal Revenue Service (IRS).

Audit Program
1. Determine if the bank has received a U.S. Treasury Department
targeting order. If it has, consider scope modifications.

2. Document the process followed to ensure all reportable

transactions are identified, being sure to include the following
information:
 Audit Program
Bank Secrecy Act and Anti-money Laundering

How tellers process cash transactions to ensure transactions

>$10,000 are captured by the system as reportable
transactions.
Determine whether currency/coin exchanges are processed
to ensure these amounts are captured and aggregated with
other cash-in and cash-outs of the customer (i.e., customer
deposits to an account and obtains a coin order.)
The various BSA reports with an explanation of how each
report is used. NOTE: Determine whether exception reports
are available and whether they are being used and reviewed
regularly.
The process management uses to ensure a properly
completed CTR is filed on time.
The process for correcting currency transaction report errors
before filing with the IRS, including procedures for tracking
errors by branch/employee, and action taken to address
training issues.

3. From the applicable system reports used by management to

identify reportable transactions, randomly select 20 cash
transactions greater than $10,000 from the most recent six-month
period. Ensure that CTR forms were filed for all reportable
transactions, or that reasons for not filing a CTR are documented
and are reasonable (i.e., exempt transaction; not a cash
transaction.) In addition, ensure CTRs are completed in accordance
with the guidelines.

4. Review the CTRs selected in Step 3 above and select 10 additional

CTRS filed by the bank in the most recent 6 month period. Include
different types of reportable transactions and CTRs originated from
various sources. Ensure that:

The most recent version of the IRS form is in use.

All applicable areas of the CTR form were properly
completed.
Each CTR was signed and dated by the preparer and
reviewer.
The CTR was filed within 15 calendar days following the date
of the transaction.

5. Review all correspondence from the IRS or Treasury regarding

incorrect or incomplete CTRs returned for corrective action since
the last audit. Ensure the bank has implemented appropriate
corrective action and filed the report within 20 calendar days.

6. Determine whether the bank has physically transported currency or

monetary instruments totaling more than $10,000, on its own
behalf, into or out of the United States. If so, verify that a Currency
and Monetary Instruments Report - Form 4790 was filed with the
U.S. Customs Service as follows: (31 CFR 103.25)

The bank filed Form 4790 with the Commissioner of Customs

at the time currency or other monetary instruments exceeding
$10,000 was transported, mailed, or shipped from the United
 Audit Program
Bank Secrecy Act and Anti-money Laundering

States to any place outside the United States, or into the

United States from any place outside the United States.

The bank filed Form 4790 within 15 days after receipt when it
received U.S. currency (or other monetary instruments) in an
aggregate amount exceeding $10,000 on any one occasion,
which was transported, mailed, or shipped to the bank from
any place outside the United States, in which a form had not
previously been filed.

7. Determine whether there is a procedure to identify and report

suspicious transactions or pattern of activity to the BSA officer.

8. Determine whether the bank performs a periodic review of currency

shipments to and from the Federal Reserve Bank, correspondent
banks, and between branches over a period of time (at least 3 months)
to determine that the volume appears reasonable.

9. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section F - Exemption List and Designation of Exempt Persons

Audit Objective
To determine that exemption procedures are in compliance with the
administrative exemption rules.

Audit Program
1. Determine whether the bank maintains a centralized list of
customers who are exempt from CTR requirements.

2. Obtain and review the centralized list to ensure that only the
following permitted exemptions are included:

Domestic banks.
Federal, state, and local government agencies and any entity
exercising governmental authority (powers to tax, exercise
the authority of eminent domain, or exercise police powers).
Any entity listed on the New York Stock Exchange, American
Stock Exchange, or NASDAQ Stock Market (franchises are
not included.)
Subsidiaries of a listed entity (provided the listed entity owns
51 percent.)
Non-listed businesses (includes franchises of a listed
business.)
Businesses that make frequent cash withdrawals for payroll
purposes.

3. Review the bank's "designation of exempt persons" procedures for

adequacy.

4. Select a sample of 10 "exempt persons" exempt since the prior

audit from the centralized list. Include each type and test for
compliance with the exemption rules, as follows:
 Audit Program
Bank Secrecy Act and Anti-money Laundering

Domestic Banks, Government Agencies, Listed Businesses and

Subsidiaries of Listed Businesses
Determine that the "designation of exempt persons" was made
by filing a single CTR and the Designation of Exempt Persons
form (TDF 90-22.53.)

The designation of exempt persons was filed no later than 30

days following the first transaction in excess of $10,000.

NOTE: All cash transactions are exempt and the entity need
not have an account relationship.

Non-Listed Businesses and Payroll Customers

1. Determine that the designation of exempt persons was
made by filing a Designation of Exempt Persons form (TDF
90-22.53) and the account holder has met the exemption
criteria as follows:

Has maintained a transaction account for at least 12

months.
Had frequent currency transaction more than $10,000
or withdrawals in excess of $10,000 in currency to pay
employees in the U.S., as applicable (eight times in a
12 month period).
Is incorporated or registered as an eligible business in
the United States.

NOTE: In determining the qualification of a customer as an

exempt person, a bank may treat all exemptible accounts as a
single account. All accounts of the exempt person become
exempt and only transactions conducted through an exempt
account(s) are exempt from the reporting requirements.

NOTE: A sole proprietor may be treated as a non-listed

business or payroll customer if it otherwise meets the
requirements and the account(s) is used for business
purposes.

5. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section G - Exempt Account Reviews, Biennial Renewals, and

Monitoring System

Audit Objectives
To determine that periodic reviews of exempt account holders are
performed to ensure that only properly qualified account holders remain
exempt and that there is a system in place to monitor accounts of exempt
persons for suspicious activity.

Audit Program
1. Obtain and review the bank's policies and procedures for the
annual review and biennial renewals of exempt persons.
 Audit Program
Bank Secrecy Act and Anti-money Laundering

2. Determine that the bank has established procedures to review and

verify information supporting each designation of an exempt person
at least once each year as follows:

Listed Businesses/Subsidiaries of Listed Businesses

Ensure that the parent company of a listed business remains listed
on the stock exchanges.

Non-Listed Businesses and Payroll Customers

Ensure the account holder continues to meet the eligibility
requirements for an exemption as follows:

Conducted frequent transactions > $10,000.

Is still duly incorporated or organized in accordance with
eligibility requirements.

3. Determine and document the bank's procedures for monitoring all

accounts of non-listed businesses and payroll customers for
suspicious activity.

4. Determine that the bank submits a biennial filing with the U.S.
Treasury to renew the exempt status of non-listed businesses and
payroll customers (designation of exempt persons) as follows:

The designation is renewed beginning on March 15 of the

second calendar year following the year in which the first
designation of such customer as an exempt person is made,
and every other March 15 thereafter.
The renewal includes a statement certifying that the bank's
system of monitoring transactions in currency of an exempt
person for suspicious activity has been applied as necessary,
but at least annually, to the account of the exempt person to
whom the biennial renewal applies.
The renewal includes information about any change in control
of the exempt person involved of which the bank knows (or
should know based on its records).

5. Select a sample of exempt account holders being sure to include

each type and review the documentation used for the annual review
and biennial renewal, as applicable:

Annual Review - Listed Business

Ensure the parent company remains listed on the stock
exchange as outlined in Step 2.

Annual Review - Non-Listed Business and Payroll Customer

Ensure all accounts of the account holder have been monitored
for continued eligibility and suspicious activity as outlined in
Step 2.

Biennial Renewal - Non-Listed Business and Payroll Customer

Ensure a biennial renewal has been filed certifying the
monitoring of accounts of the account holder for suspicious
activity as outlined in Step 4.
 Audit Program
Bank Secrecy Act and Anti-money Laundering

6. Determine that the bank has established procedures to provide

notice that an exemption has been revoked by filing Treasury form
TDF 90-22.53 - designation of exempt persons.

7. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section H - Monetary Instrument Sales

Audit Objective
To determine that adequate procedures are in place to maintain records of
cash sales of monetary instruments for $3,000 to $10,000.

NOTE: Testing of monetary instrument logs/records may be completed

during branch audits.

Audit Program
1. Obtain and review the bank's policies and procedures for the sale
of monetary instruments and document the bank's policy for selling
monetary instruments to both deposit and non-deposit account
holders.

NOTE: Monetary instruments include bank checks, drafts, cashier's

checks, money orders, and traveler's checks.

2. Determine whether the bank has elected to maintain the monetary

instrument logs for cash sales of negotiable instruments in amounts
from $3,000 to $10,000 inclusive or to comply with the requirement
to obtain and maintain records of certain information (which may be
kept in any format).

NOTE: Contemporaneous purchases totaling $3,000 or more must

be treated as one purchase.

NOTE: Multiple purchases during one day totaling $3,000 or more

must be treated as one purchase if the bank has knowledge of their
occurrence.

3. Determine that there is a procedure in place to identify and report

suspicious transactions or patterns of activity to the BSA or security
officers.

4. Summarize results of testing and conclude as to whether the audit

objective has been met.

Section I - Suspicious Activity Reports

Audit Objective
To determine that procedures are in place for the identification and
reporting of suspicious transactions relevant to a possible violation of law or
regulation.

Audit Program

1. Determine and document the process established for reporting

suspicious transactions relevant to a possible violation of law or
 Audit Program
Bank Secrecy Act and Anti-money Laundering

regulation including BSA.

2. Determine that the board of directors or a designated committee is

promptly notified of all SAR filings. Review the division of
responsibilities between the BSA officer and the Security officer.

3. Verify SARs are filed with Financial Crimes Enforcement Network

(FinCEN) under the following circumstances:

Insider abuse involving any amount. NOTE: An insider is

defined as any director, officer, employee, agent, or other bank-
affiliated party.
Where the bank believes that it was an actual or potential
victim of criminal violation, a series of violations, or that the
bank was used to facilitate a criminal transaction, and the
violation aggregates $5,000 or more and the bank can identify
a suspect.
Where the bank believes that it was either an actual or potential
victim of a criminal violation, a series of violations, or that the
bank was used to facilitate a criminal transaction, and the
violation aggregates $25,000 or more and the bank cannot
identify a suspect.
Where the bank suspects or has reason to suspect currency
transactions aggregating $5,000 or more that involves potential
money laundering or violations of BSA as follows:

1. The transaction involves funds from illegal activities or is

intended to hide or disguise funds from illegal activities.

2. The transaction is designed to evade any of the BSA

regulations.

3. The transaction has no business or apparent lawful

purpose or is not the type of transaction that the customer
would normally conduct, and the transaction is for $5,000
or more.

NOTE: Transaction is defined as a deposit, withdrawal,

transfer between accounts, exchange of currency, loan,
extension of credit, purchase or sale of any stock, bond,
certificate of deposit, or other monetary instrument or
investment security, or any other payment, transfer, or
delivery by, through, or to a financial institution, by
whatever means.

4. Verify that SARs are filed within 30 calendar days of the date of
initial detection of the facts that cause the bank to believe a
suspicious activity has occurred.

NOTE: The bank may delay filing a SAR for an additional 30

calendar days to identify a suspect. However, the SAR filing cannot
be delayed more than 60 calendar days after the date of initial
detection of a reportable transaction, even if a suspect is not
identified.

5. In situations involving violations that require immediate attention

 Audit Program
Bank Secrecy Act and Anti-money Laundering

(e.g., ongoing money laundering) verify that the bank immediately

notifies an appropriate law enforcement authority and its primary
regulator, in addition to filing a SAR.

6. Review a random sample of SARs that have been filed by the BSA
officer since the last review. Verify that information reported is
correct and forms are properly completed, as follows:

A. Timeliness of filing:
The report was filed within 30 calendar days of the date
of initial detection of the facts that caused the bank to
believe a suspicious activity has occurred.
If the report was not filed within 30 days, the filing delay
(an additional 30 days) was in order to identify a
suspect.

B. The appropriate law enforcement authority was notified by

telephone in addition to the filing of the SAR if the suspicious
activity required immediate attention.

C. The SAR was sent to FinCEN without supporting documentation.

D. A copy of the report was sent to state and local authorities, if

appropriate. (This is not required, but banks are encouraged to
do so.)

7. Determine that the bank maintain copies of all SAR filed and any
supporting documentation for five years after the date of filing.

8. Summarize results of testing and conclude as to whether the audit

objective has been met.