Considering a Bank Acquisition? Don’t Forget BSA and AML

Considering a potential acquisition? Though there is much to get your arms around, don’t forget to assess the target bank’s compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations and the impact of the acquisition on your bank’s own AML program. Failure to perform the proper due diligence in this important area could expose you to serious regulatory, reputational, and financial risk.

In connection with a proposed merger or acquisition, considerable analysis needs to be done to assess the target bank’s financial performance, risk management practices, and the quality of its assets. While the primary focus is understandably on asset quality and earnings, one area that may not get the appropriate attention is the target’s BSA/AML compliance program. Indeed, it is crucial that you thoroughly review the bank’s BSA/AML compliance practices, as its clients will become your clients, and its transactions will be flowing through your bank. With recent failures and troubled institutions, some companies may have let their BSA compliance initiatives slip. However, banking regulators have made it clear that BSA/AML compliance is not taking a back seat.

Where to begin

You’ll want to start by reading prior examination reports issued by the target bank’s primary regulator, as well as prior independent BSA/AML audit reports. Observations and weaknesses identified in examination and audit reports may help direct the focus of your due diligence. You will also want to review correspondence between the bank and its regulators and/or law enforcement agencies related to BSA/AML compliance, such as filing errors for Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), law enforcement subpoenas, or seizures. Be sure to review correspondence between the bank and OFAC to identify any potential reporting of prohibited transactions or blocked property.

An assessment of the target’s BSA/AML compliance program should be conducted to determine whether it has a robust AML program in place. Does the bank’s AML program meet regulatory requirements? Is it commensurate with the bank’s risk profile? Is it on par with your own program? A gap analysis can be performed to identify any shortcomings in the target bank’s BSA/AML program. At a minimum, a BSA/AML program should provide the following:

• a system of internal controls to ensure ongoing compliance;
• independent testing of BSA/AML compliance;
• designation of an individual or individuals responsible for managing BSA compliance; and
• adequate training for appropriate personnel.

You will also want to gauge the compliance culture of the target bank. Have the board of directors and management instilled a culture of compliance throughout the institution to help ensure that employees adhere to the bank’s policies and procedures? Do employees receive appropriate levels of BSA/AML training? The tone at the top is paramount.

It is important to review the target’s internal controls, including policies, procedures, and processes designed to mitigate BSA/AML risk, and determine the extent to which such polices and procedures have been implemented. While most banks have conducted their own BSA/AML risk assessment, you should consider conducting an independent review. This will help you better understand the risks that the bank’s customers, products and services, and locations present to the bank as well as the mitigating controls. A well-developed risk assessment will help you identify and quantify the bank’s BSA/AML risk profile.

It is also important to understand the target bank’s customer base and the extent of the bank’s Know Your Customer (KYC) customer identification program and customer due diligence program. You should assess the extent of identified “high-risk” customers and determine whether the bank has effectively identified customers and activities that pose higher levels of AML risks.

You should determine how the target bank monitors accounts and activity. The bank should have an appropriate system for identifying reportable transactions and accurately filing required reports (i.e., SARs and CTRs). Furthermore, you should assess the technology used to monitor and identify unusual activity. The bank should have policies, procedures, and processes in place to monitor, identify, investigate, and report suspicious activity. Most banks utilize automated systems to monitor account activity or a combination of automated and manual transaction monitoring. If the bank utilizes an automated account monitoring system, you need to review the types of customers, products and services, and transactions that are subject to the automated account monitoring system. You will want to assess the reasonableness of filtering criteria and the methodology for establishing and applying expected activity profiles. It is also important to assess the extent to which the systems aggregate customer activity and the methods for aggregation.

Finally, it is imperative that you analyze a sampling of transactions to gain an understanding of the volume and nature of business flowing through the target bank. Review SARs filed by the bank to identify the volume and characteristics of SARs. This will also help you evaluate the quality of the bank’s suspicious activity monitoring and reporting process. Suspicious activity comes in many forms and a bank that only files suspicious activity reports for structuring activities may indicate monitoring or training deficiencies.

A final consideration that can go overlooked is the impact of the acquisition on your bank’s AML program. Does the acquisition or merger change your BSA/AML risk profile? If so, what steps are necessary to address any additional risks? Remember that a bank’s BSA/AML risk assessment is an ongoing process. As more customers, products and services, and locations are introduced into your institution, either through organic growth or mergers and acquisitions, your BSA/AML risk assessment should evolve to address these new factors.