A Risk-Based Approach to BSA/AML and OFAC Compliance
How much do you know about your third-party vendors? Could your subcontractors be laundering money used to finance drug cartels, terrorist organizations, or other illegal activities?
It’s not as far-fetched as you might imagine. Without your knowledge, your bank or credit union may be non-compliant with requirements in the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML).
Also, when your third-party vendors are foreign entities, your financial institution may face additional compliance burdens from the Treasury Department’s Office of Foreign Assets Control (OFAC). Bankers know that third-party vendors sanctioned by OFAC could be involved in not just criminal but terrorist activity.
BSA/AML and OFAC compliance remain atop the list of risks for financial institutions. What can do you do to minimize this risk as you manage your vendors?
Vet thy vendors!
Before starting a relationship with a third party, assess their activities. Are they subject to laws and regulations involving privacy, information security, fiduciary requirements and, most importantly, BSA/AML and OFAC?
When conducting due diligence reviews, gather information about the entity, including:
- Experience and reputation
- History and performance
- Stated goals
- Risk management practices
- Insurance coverage
Put it in a contract
Incorporate your findings into your contractual relationship. When drafting the contract, require that the third party provide and retain timely, accurate, and comprehensive information. This includes records and reports that allow bank management to monitor performance, service levels, and risks. Stipulate the frequency and type of BSA/AML and OFAC compliance responsibilities and reports.
You should also ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved. This includes provisions that outline compliance with BSA/AML and OFAC. Require a right for you to conduct periodic reviews to verify the third party’s compliance with the bank’s policies and expectations.
Finally, state your right to continuously monitor the vendor’s compliance with applicable laws, regulations, and policies. Require remediation if issues arise.
Protect Yourself with a VRM Solution
As with all aspects of compliance, third-party relationships require contracts, due diligence, monitoring, and review. The best way to verify your vendors are on the up-and-up? Using a vendor risk management (VRM) system.
A VRM solution can automatically verify your vendor’s activities throughout a continuous life cycle. When onboarding, the VRM solution performs contract reviews, audits for compliance, and monitoring and alerting.
Due diligence also includes automated screenings of all vendors against the OFAC database and watchlist reports daily. Any identified matches are detailed on a system-generated vendor due diligence report.
Once a relationship is established with a vendor, a VRM solution protects you by deploying specialized expertise, technology, and resources. This helps you prepare for supervisory reviews performed by regulatory bodies such as the Office of the Comptroller of the Currency (OCC). Such examinations evaluate:
- Safety and soundness risks
- The financial and operational viability of the third party to fulfill its contractual obligations
- Compliance with applicable laws and regulations, including BSA/AML and OFAC laws
For a successful VRM program, you must be able to make agile adaptations to stay ahead of the changing regulatory environment. To avoid potential violations and related civil liability, make BSA/AML and OFAC compliance a consistent focus of your VRM program.