Introductory BSA AML Examiner School Manual Palm Springs 2019

Federal Deposit Insurance Corporation State Bank Department Division of Risk Management Supervision 400 Hardin Road 6060 Primacy Parkway, Suite 300 Suite 100 Memphis, Tennessee 38119 Little Rock, Arkansas 72211 Telephone (901) 685-1603, FAX: (901) 821-5308

Telephone (501) 324-9019, FAX: (501) 324-9028

Supervisory Letter #09-20XX

October 20, 20XX

Board of Directors Bank of Smithville

1701 Center Parkway Little Rock, AR 74283 Attention: George Smith, Chairman and Chief Executive Officer Subject: Bank Secrecy Act (BSA) Target Review

The Federal Deposit Insurance Corporation (FDIC) and the Arkansas State Bank Department (ASBD) conducted a joint target review of the bank’s Bank Secrecy Act (BSA) program that commenced on July 10, 20XX. Senior Examiner Duane M. Brown served as the lead examiner for the FDIC and Bank Exam Manager (BEM) Dereck Pace served as the lead examiner for the ASBD for this review. Senior Examiner-Large Financial Institutions (LFI) John Long and Assistant Deputy Commissioner (ADC) Micah Bell served as Examiners-in-Charge (EIC) for the FDIC and ASBD, respectively. SCOPE The target review assessed the adequacy of the BSA and Anti-Money laundering (AML) program and the bank’s compliance with applicable laws and regulations, including Part 326 of the FDIC Rules and Regulations. As part of the review, limited transaction testing was conducted to evaluate various aspects of the BSA/AML program including: policies, procedures, and internal controls; suspicious activity monitoring; independent risk management functions; audit practices; training; and personnel resources. SUMMARY OF FINDINGS The overall BSA/AML program reflects the need for improvement. Two apparent pillar violations are cited: System of Internal Controls and BSA Officer. The acquisitions through merger, conversion to a new suspicious activity automated monitoring system (Verafin), and lack of personnel resources have resulted in several program deficiencies. These issues contributed to backlogs in the processing of Verafin alerts and cases, ultimately resulting in systemic late submissions of Suspicious Activity Reports (SARs). Insufficient resources also contributed to the failure to file SARs for activity with no business or apparent lawful purposes; failure to submit SARs for activity designed to evade reporting requirements; and the lack of effective monitoring of privately-owned ATMs (POATMs). Additional internal control issues involve the