Answers to Frequently Asked Bank Secrecy Act (BSA) Questions
The following provides answers to basic questions that are frequently asked
regarding the BSA. The answers are not meant to be comprehensive, apply to all
factual situations, or to replace or supersede the BSA regulations. Additional
questions and answers will be posted on a periodic basis.
Question 1: Is a depository institution required to file a
Designation of Exempt Person form (TD F 90-22.53) in order to
exempt transactions with a Federal Reserve Bank?
Answer 1: Depository institutions are not required to file a Designation of
Exempt Person form (TD F 90-22.53) with respect to the transfer of currency to
or from any of the 12 Federal Reserve Banks in accordance with an Interim Rule
published by FinCEN in the Federal Register (65 FR 46356-46361) on July
28, 2000. This Interim Rule, which amends the CTR exemption regulation at 31 CFR
Section 103.22(d), became effective on July 31, 2000. (7/2000)
Question 2(a): Where can a depository institution obtain a copy of the Designation of Exempt
Person form (TD F 90-22.53), which must be used to designate an eligible customer
as an exempt person from currency transaction reporting rules of the Department
of the Treasury (31 CFR Section 103.22(d)(2))?
Answer 2(a): The Designation of Exempt Person form may be obtained by
calling the IRS Forms Distribution Center at 1-800-829-3676. This form is also
available from FinCEN’s web site at http://www.fincen.gov,
under "Forms." (7/2000)
Question 2(b): Where does a depository institution file the Designation
of Exempt Person form?
Answer 2(b): The Designation of Exempt Person form should be filed with the
U.S. Department of the Treasury, P.O. Box 33112, Detroit, Michigan 48232-0112.
This is the Post Office mailing address for receipt of these forms by the IRS
Enterprise Computing Center-Detroit. Magnetic media filers of these forms should mail
magnetic media/diskettes to the IRS Enterprise Computing Center-Detroit, FinCEN, 985
Michigan Avenue, Detroit, Michigan 48226. (7/2000)
Question 2(c): Does the IRS Enterprise Computing Center-Detroit ("ECC-D")
provide depository institutions with a confirmation of receipt of the
Designation of Exempt Person form (TD F 90-22.53)?
Answer 2(c): The ECC-D does not send a confirmation to depository institutions upon its
receipt of the Designation of Exempt Person form by paper filers. However,
magnetic media filers receive a computer generated confirmation that the filing
has been received. If a depository institution needs confirmation that a paper
form has been received, it may call ECC-D at (313) 234-2011 and procedures
for submitting a written request and the cost will be explained. (7/2000)
Question 3: The reformed CTR exemption regulation (31 CFR Section
103.22(d)(3)(ii)) states "when designating another bank as an exempt
person, a bank must either make the filing required by paragraph (d)(3)(i) of
this section or file, in such a format and manner as FinCEN may specify, a
current list of its domestic bank customers." What is the format and manner
specified by FinCEN to provide a list of exempted domestic banks?
Answer 3: FinCEN will provide notification if a special procedure, such as
listing the exempted domestic banks, becomes available so that bank customers
can be exempted in a more streamlined way. At this time, database system
constraints do not allow such a procedure to be implemented. Therefore, a
depository institution should file the Designation of Exempt Person form (TD F
90-22.53) for each of the domestic bank customers that it wishes to exempt. (7/2000)
4. There are frequently asked questions regarding Repeated SAR Filings on
the same Activity. The following discussion is contained in Section 5 of The
SAR Activity Review – Trends, Tips & Issues (October 2000).
One of the purposes of filing SARs is to identify violations or potential
violations of law to the appropriate law enforcement authorities for criminal
investigation. This is accomplished by the filing of a SAR that identifies the
activity of concern. Should this activity continue over a period of time, it is
useful for such information to be made known to law enforcement (and the bank
supervisors). As a general rule of thumb, organizations should report continuing
suspicious activity with a report being filed at least every 90 days. This will
serve the purposes of notifying law enforcement of the continuing nature of the
activity, as well as provide a reminder to the organization that it must
continue to review the suspicious activity to determine if other actions may be
appropriate, such as terminating its relationship with the customer or employee
that is the subject of the filing. (12/2000)
5. There are frequently asked questions regarding Cessation of
Relationship/Closure of Account as a result of the identification of
suspicious activity. The following discussion is contained in Section 5 of The
SAR Activity Review – Trends, Tips & Issues (October 2000).
The closure of a customer account as the result of the identification of
suspicious activity is a determination for an organization to make in light of
the information available to the organization. A filing of a SAR, on its own,
should not be the basis for terminating a customer relationship. Rather, a
determination should be made with the knowledge of the facts and circumstances
giving rise to the SAR filing, as well as other available information that could
tend to impact on such a decision. It may be advisable to include the
organization's counsel, as well as other senior staff, in such determinations.
6. There are frequently asked questions regarding Timing for SAR Filings.
The following discussion is contained in Section 5 of The SAR Activity Review
– Trends, Tips & Issues (October 2000).
The SAR rules require that a SAR be filed no later than 30 calendar days from
the date of the initial detection of the suspicious activity, unless no suspect
can be identified, in which case, the time period for filing a SAR is extended
to 60 days.
It may be appropriate for organizations to conduct a review of the activity
to determine whether a need exists to file a SAR. The fact that a review of
customer activity or transactions is determined to be necessary is not
necessarily indicative of the need to file a SAR, even if a reasonable review of
the activity or transactions might take an extended period of time. The time to
file a SAR starts when the organization, in the course of its review or on
account of other factors, reaches the position in which it knows, or has reason
to suspect, that the activity or transactions under review meets one or more of
the definitions of suspicious activity.
Of course, an expeditious review, wherever possible, is recommended and can
be of significant assistance to law enforcement. In situations involving
violations of law requiring immediate attention, the organization should
immediately notify appropriate law enforcement and supervisory authorities, in
addition to filing a SAR. (12/2000)
7. There are frequently asked questions regarding the Disclosure of SARs
and Underlying Suspicious Activity. The following discussion is contained in
Section 5 of The SAR Activity Review – Trends, Tips & Issues (October 2000).
Federal law (31 U.S.C. 5318(g)(2)) prohibits the notification of any person
that is involved in the activity being reported on a SAR that the activity has
been reported. This prohibition effectively precludes the disclosure of a SAR or
the fact that a SAR has been filed. However, this prohibition does not preclude,
under federal law, a disclosure in an appropriate manner of the facts that are
the basis of the SAR, so long as the disclosure is not made in a way that
indicates or implies that a SAR has been filed or that the information is
included on a filed SAR.
The prohibition against disclosure can raise special issues when SAR records
are sought by subpoena or court order. The SAR regulations direct organizations
facing those issues to contact their primary supervisor, as well as FinCEN, to
obtain guidance and direction on how to proceed. In several matters to date,
government agencies have intervened to ensure that the protection for filing
organizations and the integrity of the data contained within the SAR database
remain intact. (12/2000)
8. There are frequently asked questions regarding Filing SARs on
Continuing Activity after Law Enforcement Contact. The following discussion
is contained in Section 6 of The SAR Activity Review – Trends, Tips &
Issues (June 2001).
In some instances, after the filing of one or more SARs, law enforcement has contacted a financial
institution requesting more specific information with regard to the suspect activity
or requesting identified supporting documentation. In other instances, a law enforcement
agency has contacted a financial institution to report that it does not intend to investigate the
matter reported on the SAR.
If conduct continues for which a SAR has been filed, the guidance set forth
in the October 2000 SAR Activity Review (Section 5 – Repeated SAR
Filings on the Same Activity) should be followed (i.e.,
organizations should report continuing suspicious activity with a SAR being
filed at least every 90 days) even if a law enforcement agency has declined to
investigate or there is knowledge that an investigation has begun. The filing of
SARs on continuing suspicious activity provides useful information to law
enforcement and supervisory authorities. Moreover, the information contained in
a SAR that one law enforcement agency has declined to investigate may be of
interest to other law enforcement agencies, as well as supervisory agencies.(6/2001)
9. There are frequently asked questions regarding Filing SARs on Activity Outside
the United States. The following discussion is contained in Section
6 of The SAR Activity Review – Trends, Tips & Issues (June 2001).
Consistent with the SAR regulations, it is expected that financial
institutions will file SARs on activity deemed to be suspicious even when a
portion of the activity occurs outside of the United States or the funds
involved in the activity originated from outside the United States. Although
foreign-located operations of U.S. organizations are not required to file SARs,
an organization may wish, for example, to file a SAR with regard to suspicious
activity that occurs outside the United States that is so egregious that it has
the potential to cause harm to the entire organization. (It is, of course,
expected that foreign-located operations of U.S. organizations that identify
suspicious activity will report such activity consistent with local reporting
requirements in the foreign jurisdiction where the operation is located.)
10. There are frequently asked questions regarding the Prohibition on
Notification. The following discussion is contained in Section 6 of The SAR
Activity Review – Trends, Tips & Issues (June 2001).
As set forth in the October 2000 SAR Activity Review (Section 5 –
Disclosure of SARs and Underlying Suspicious Activity), federal law (31 U.S.C.
5318(g)(2)) prohibits the notification to any person that is involved in the
activity being reported on a SAR that the activity has been reported. This
prohibition extends to disclosures that could indirectly result in the
notification to the subject of a SAR that a SAR has been filed, effectively
precluding the disclosure of a SAR or even its existence to any persons other
than appropriate law enforcement and supervisory agency or agencies. This
prohibition does not preclude, under federal law, a disclosure in an appropriate
manner of the facts that are the basis of the SAR, so long as the disclosure is
not made in a way that indicates or implies that a SAR has been filed or that
information is included on a filed SAR.
In the rare instance when suspicious activity is related to an individual in
the organization, such as the president or one of the members of the board of
directors, the established policy that would require notification of a SAR
filing to such an individual should not be followed. Deviations to established
policies and procedures so as to avoid notification of a SAR filing to a subject
of the SAR should be documented and appropriate uninvolved senior organizational
personnel should be so advised.
The prohibition on notification of a SAR filing can raise special issues when
SAR filings are sought by subpoena or court order. The SAR regulations direct
organizations facing these issues to contact their primary supervisor, as well
as FinCEN, to obtain guidance and direction on how to proceed. In several
matters to date, government agencies have intervened to ensure that the
protection for filing organizations and the integrity of the data contained
within the SAR database remain intact. (6/2001)
11. There are frequently asked questions regarding Disclosure of SAR
Documentation. The following discussion is contained in Section 6 of The SAR
Activity Review – Trends, Tips & Issues (June 2001).
Under the SAR regulations, institutions filing SARs should identify within the SAR,
and are directed to maintain all "supporting documentation"
related to the activity being reported. Disclosure of supporting documentation
related to the activity that is being reported on a SAR does not require a
subpoena, court order, or other judicial or administrative process. Under the
SAR regulations, financial institutions are required to disclose supporting
documentation to appropriate law enforcement agencies, or FinCEN, upon request.
12. There are frequently asked questions regarding the Applicability of
Safe Harbor. The following discussion is contained in Section 6 of The SAR
Activity Review – Trends, Tips & Issues (June 2001).
The safe harbor provisions applicable to SAR filings provide a
safe harbor for organizations that provide a SAR to all authorized government personnel,
including Federal, state, and local authorities. Similarly, the safe harbor
provisions apply even if the report of activity that is a possible violation of
law or regulation is made orally or in some form other than through the use of a
Question 13a: A business customer of a depository institution provides payroll
checks to individual employees for work performed. Each payroll check is
under $10,000. However, several employees cash their payroll checks individually
on the same business day, which results in an aggregate cash out from the business
customer’s account in an amount exceeding $10,000. Would the institution be required
to file a CTR, if no one person received an amount in excess of $10,000?
Answer 13a: The financial institution would not need to file a CTR because
it would not be involved in a single cash transaction (or multiple cash transactions for which
a duty to aggregate would arise) of more than $10,000. A financial institution must treat multiple
transactions in currency as a single transaction if the financial institution
has knowledge that the multiple transactions are "by or on behalf of any
person" and result in cash in or cash out totaling more than $10,000
during any one business day. According to the facts described above, the cashing of checks would
be conducted by or on behalf of each individual employee (rather than the business on whose account
each check is drawn), and no one employee would be cashing more than $10,000 in
a single transaction or in multiple transactions during the same business
Question 13b: Would a CTR be required if several individual employees
endorsed their respective payroll checks (all individual payroll checks
are under $10,000 but combined they aggregate to an amount that exceeds $10,000),
and made the checks payable to one employee who, in turn, cashed them at a financial
institution for the purpose of distributing the proceeds back to the individual employees?
Answer 13b: A CTR would be required in this instance because one
person is receiving more than $10,000 in currency.(10/2001)
Question 14: Is a CTR required when a person presents a check, in excess of $10,000, for
payment in cash at a financial institution and receives less than $10,000 after
fees, or other deductions, are charged against the amount of the check?
Answer 14: The BSA only requires a CTR for a transaction in
currency, such as a deposit, withdrawal, exchange or transfer of
currency, in excess of $10,000. A transaction in currency involves the physical
transfer of currency from one person to another. Accordingly, the transfer of
currency below $10,000 would not trigger the CTR requirement, despite the amount
of the check. For example, if a person cashed a check for $10,100 and received $9,990
after a service fee was charged against the amount of the check, the financial
institution would not be required to file a CTR. On the other hand, if a person
purchased a cashiers check for $9,990 and paid a service fee of $20 for a total
of $10,010 in cash, the financial institution would be required to file a
CTR. The key lies in the amount of the physical deposit, withdrawal, exchange or
transfer of currency. (10/2001)
Question 15: If the initial “Designation of Exempt Person” form (“DEP”)
for a non-listed business (or payroll customer) was filed in July 2000,
is the biennial renewal date March 15, 2001 or March 15, 2002?
Answer 15: If you filed a DEP form with respect to a non-listed
business or payroll customer in July of 2000, the filing deadline for biennial
renewal is March 15, 2002 (assuming all applicable criteria listed in 31 CFR §
103.22 (d)(2)(vi) and (vii) still applies to the entity).(10/2001)
31 CFR § 103.22(d)(5)(ii) - Non-listed businesses and payroll customers - states “The designation of a non-listed
business or a payroll customer as an exempt person must be renewed biennially,
beginning on March 15 of the second calendar year following the year in which
the first designation of such customer as an exempt person is made, and every
other March 15 thereafter, on such form as FinCEN shall specify.”
FinCEN offers the following practical examples as a way of demonstrating the
timely biennial renewal of the DEP form with respect to non-listed businesses and payroll customers:
A) Initial DEP forms filed in February of 2001 are required to be renewed on or
before March 15, 2003. Analysis - The initial designation was filed in calendar year 2001
(the base year), the first calendar year following the year in which the initial designation
was made is 2002, the second calendar year following the year in which the initial
designation was made is 2003, and the filing deadline within that second
calendar year is March 15, 2003.
B) Initial DEP forms filed in June of 2001 are required to be renewed on or before March 15, 2003.
Analysis - The initial designation was filed in calendar year
2001 (the base year), the first calendar year following the year in which the
initial designation was made is 2002, the second calendar year following the
year in which the initial designation was made is 2003, and the filing deadline
within that second calendar year is March 15, 2003.
Question 16: When filing the DEP form for biennial renewals of CTR exemptions
for non-listed businesses and payroll customers, what date should be entered as the
“Effective date of the exemption” in Part II box 11?
Answer 16: A bank must report the biennial renewal of CTR
exemptions for eligible non-listed businesses and payroll customers by
completing and filing a DEP form every two years (calendar years) by March
15. See 31 CFR § 103.22 (d)(5)(ii). For biennial renewals, the date entered
in Part II box 11 as the “Effective date of the exemption” should
be the same date the depository institution used in this box when the initial
designation was made utilizing the reformed CTR exemption regulations. (10/2001)
Question 17: Is a state-licensed check-cashing business exemptible under the BSA?
Answer 17: The reformed CTR exemption regulations do not distinguish between a “licensed” or
“non-licensed” business. In determining whether any check-cashing business is eligible for exemption
from currency transaction reporting requirements, a depository institution must determine
whether the business falls into either of two categories described below:
1.An entity listed on one of the major national stock exchanges, or a subsidiary of an entity listed
on those stock exchanges as described in 31 CFR § 103.22(d)(2)(iv)-(v). If a customer
falls under one of the categories identified in 31 CFR § 103.22(d)(2)(i)-(v),
the depository institution does not need to determine if the business activity
is considered ineligible for exemption as identified in 31 CFR §
103.22(d)(6)(viii). Once the depository institution has determined that the customer qualifies for an
exemption based on the above criteria, the depository institution may file a
one-time DEP form.
2.A non-listed business, if the criteria of 31 CFR § 103.22 (d)(2)(vi) are met.
Determining if a business can be considered a non-listed business depends, in part, on
whether the customer is primarily engaged in one or more of the ineligible
business activities listed in 31 CFR § 103.22(d)(6)(viii). If primarily engaged in such ineligible
business activities, then the customer cannot be treated as a non-listed
a. One of the ineligible business activities listed in 31 CFR § 103.22 (d)(6)(viii)
is serving as a financial institution. Under the BSA, the definition of “Financial Institution”
includes money services businesses (MSBs) [31 CFR 103.11(n)(3)]. A check casher is defined as an MSB if it
cashes checks in an amount greater than $1,000 in currency or monetary
instruments for any one person in any one day in one or more transactions [31
CFR 103.11(uu)(2)]. Consequently, if the check casher meets the definition of a MSB, it is considered to be serving
as a financial institution. Therefore, if the check casher is defined as a MSB and is primarily engaged (see item b.
below) in the business of cashing checks [or other ineligible business activity
listed in 31 CFR § 103.22 (d)(6)(viii)], then it is ineligible for treatment as
an exempt person.
b. If a business engages in multiple business activities (e.g.,
money transmission in addition to check cashing), it may be treated as a non-listed
business so long as no more than 50% of its gross revenues is derived from one or more of the ineligible
business activities listed in § 103.22 (d)(6)(viii).
Example 1: A check casher (whether licensed or non-licensed) that
cashes checks in an amount less than $1,000 in currency or monetary instruments
for any one person on any one day and is not involved in any other ineligible
business activity, or derives no more than 50% of its gross revenue from any
such business, may be exempted from CTR reporting requirements as a non-listed
business (assuming that all other criteria listed in 31 CFR § 103.22 (d)(2)(vi)
Example 2: A check casher (whether licensed or non-licensed) that
cashes checks in an amount more than $1,000 in currency or monetary instruments
for any one person on any one day and derives more than 50% of its gross
revenue from cashing checks (and/or other ineligible business activity) may not
be exempted from CTR reporting requirements as a non-listed business because it
is serving as a financial institution under the BSA regulations.
Question 18: How can I verify that a BSA report filed in paper format has been received by the
Answer 18: Requests for verification of filing must be
submitted in writing to:
IRS Enterprise Computing Center-Detroit Compliance Review Group P.O. Box 32063 Detroit, MI 48232-0063
The written request should include the following information:
filer name and TIN;
person and TIN on whose behalf the transaction was conducted;
date of the transaction, and;
the dollar amount of the transaction.
There is a $20.00 flat fee for verifying ten or fewer forms and a $2.00 fee for each additional
form. If you want a copy of the filed form, an additional fee of .15 ¢ will be charged.
Checks or money orders should be made payable to the Internal Revenue Service.
For additional questions regarding this issue, please contact ECC-D directly at 1-800-800-2877. (10/2001)
Question 19: Does FinCEN prepare and distribute training materials, such as videos,
on the BSA reporting and recordkeeping requirements?
Answer 19: FinCEN does not currently prepare or distribute
training videos or materials. FinCEN frequently participates in conferences and other forums to discuss BSA
reporting and recordkeeping requirements, developments relating to FinCEN's
regulations, and counter money laundering efforts.
FinCEN’s publications also impart information that may be useful in the preparation of training materials, such as SAR Guidance, Strategic Analytical Reports, and The SAR Activity Review: Trends, Tips & Issues, which are available on FinCEN’s web site under the tab for “Reports & Publications". FinCEN also frequently issues guidance to financial institutions on BSA reporting and recordkeeping requirements.
Furthermore, financial institutions, particularly depository institutions such as banks,
thrifts and credit unions, have significant resource materials available to help them train
from their industry associations and other sources in the private sector. In addition, the primary
regulators may also provide publications and resource material to use in BSA training and may be consulted on BSA
Question 20: As the individual responsible for filing SARs for my financial
institution, sometimes I become confused about the correct blocks to mark on the
form or the information to provide in the narrative. Where might I find guidance
to assist me to properly complete a Suspicious Activity Report?
Answer 20: Several resources are available to guide filers in the completion of a SAR form.
First, be sure to review the completion instructions included with the form.
Regardless of the type of SAR form, all have instructions, which address the specific fields on the form.
Select one of the following types of SAR forms to see the instructions:
Instructions for Suspicious Activity Report for Depository Institutions – TD F 90-22.47
(Special Note: These instructions are being revised to correspond with the new fields
on the latest SAR form for depository institutions, effective July 2003.
Pending publication of the new instructions, the older [June 2000] version may be used as a guide when the fields are the same.)
Finally, if you still have questions after reviewing the aforementioned documents, you may consult your institution’s regulatory
authority for further guidance or call the FinCEN Financial Institutions Help Line at 1-800-949-2732.
Question 21: When a federal, state or local government official, as part of his or her
official duties, engages in a transaction in currency over $10,000, or purchases a
monetary instrument for more than $3,000 in currency, as a non-accountholder, what
kind of identifying information must a financial institution obtain?
Answer 21: Government officials sometimes need to conduct large currency transactions
as part of their official duties. For example, a law enforcement official may wish to convert
seized currency into monetary instruments for security reasons. In such cases, when a
transaction in currency over $10,000 is conducted on behalf of a government agency, rather
than on behalf of an individual, the financial institution involved in the transaction should
file a one-time Designation of Exempt Person form (TD F 90-22.53), to exempt the government
agency from the currency transaction reporting requirements and document the basis
for its conclusion. Subsequent transactions on behalf of the same government agency
would be similarly exempt from the currency reporting requirements. If a financial institution
chooses to file a currency transaction report, it generally is required only to obtain,
verify, and record identifying information pertaining to the agency for which the individual
is working. Thus, any employee identification number, address, or other identifying information
obtained should correspond to the government agency involved, and not the government official
conducting the transaction.
Notwithstanding the above, a financial institution should still obtain and record the name
of the government official conducting the transaction and take those steps that a reasonable
and prudent bank would take to verify and document that the customer is a government official
conducting business on behalf of a government agency. Regarding the purchase of a monetary
instrument for more than $3,000 in currency, a financial institution should record the date
of birth of the government official, in addition to his or her name. (8/1/03)
Questions 22: Can you provide guidance on how money services businesses should conduct independent reviews of their anti-money laundering programs?
Answer 22: There are frequently asked questions regarding how to conduct independent reviews on money services business anti-money laundering programs. FinCEN has issued the the following guidance.
The Bank Secrecy Act requires money services businesses to establish anti-money laundering programs that include “an independent audit function to test programs.”1 In implementing this requirement, we determined to make clear that money services businesses are not required to hire a certified public accountant or an outside consultant to conduct a review of their programs. Rather, the relevant Bank Secrecy Act regulation requires money services businesses to establish anti-money laundering programs with written policies and procedures that:
Provide for independent review to monitor and maintain an adequate program. The scope and frequency of the review shall be commensurate with the risk of the financial services provided by the money services business. Such review may be conducted by an officer or employee of the money services business so long as the reviewer is not the person designated in paragraph (d)(2) of this section.
The primary purpose of the independent review is to monitor the adequacy of the money services business’ anti-money laundering program. The review should determine whether the business is operating in compliance with the requirements of the Bank Secrecy Act and the business’ own policies and procedures. Each money services business should identify and assess the money laundering risks that may be associated with its unique products, services, customers, and geographic locations. Regardless of where risks arise, money services businesses must take reasonable steps to manage them. Each money services business should focus resources on the areas of its business that management believes pose the greatest risks, and the level of sophistication of the associated internal controls should be appropriate for the size, structure, risks, and complexity of the money services business.
Question 22(a): What should be done during the review? The review should provide a fair and unbiased appraisal of each of the required elements of the company’s anti-money laundering program, including its Bank Secrecy Act-related policies, procedures, internal controls, recordkeeping and reporting functions, and training.
Answer 22(a): The review should include testing of internal controls and transactional systems and procedures to identify problems and weaknesses and, if necessary, recommend to management appropriate corrective actions. For example, if the program requires that a particular employee or category of employee should be trained once every six months, then the independent testing should determine whether the training occurred and whether the training was adequate.
The review also should cover all of the anti-money laundering program actions taken by – or defined as part of the responsibility of – the designated compliance officer. These actions include, for example, the determination of the level of money laundering risks faced by the business, the frequency of Bank Secrecy Act anti-money laundering training for employees, and the adoption of procedures for implementation and oversight of program-related controls and transactional systems.
Question 22(b): Who should conduct the review?
Answer 22(b): Our regulations require an independent review, not a formal audit by a certified public accountant or third-party consultant. Accordingly, a money services business does not necessarily need to hire an outside auditor or consultant. The review may be conducted by an officer, employee or group of employees, so long as the reviewer is not the designated compliance officer and does not report directly to the compliance officer.
Question 22(c): How often should the review occur?
Answer 22(c): The review should be conducted on a periodic basis. The scope and frequency of the review will depend on the money services business’ risk assessment, which should take into account the business’ products, services, customers, and geographic locations. For some money services businesses, based on their risk assessments, an annual review may not be necessary; for others, more frequent review may be warranted. For example, if the money services business’ risk assessment changes, more frequent review may be prudent. Similarly, if compliance problems are identified in a review, it may be advisable to advance the date of the next review to confirm that corrective actions have been taken.
Question 22(d): Should the review be documented in some manner and reported to management?
Answer 22(d): Yes. The person or persons responsible for conducting the review should document the scope of the review, procedures performed, transaction testing completed, if any, findings of the review, and recommendations to management for corrective actions, if any. After the review, the reviewer or the designated compliance officer should track deficiencies and weaknesses discovered during the review and document corrective actions taken by the money services business. All of the documentation should, as appropriate, be made accessible to government examiners and law enforcement personnel who have authority to examine such documents. (9/2006)
The IRS Enterprise Computing Center-Detroit may be contacted at 1-800-800-2877 to assist
you with questions regarding the use of the reformed CTR exemption regulations
(31 CFR Section 103.22(d)(2)), completion of the Designation of Exempt Person
form (TD F 90-22.53), completion of the CTR form (Form 4789), and CTR paper or
magnetic filing issues. For other BSA related questions, you may call FinCEN’s
Regulatory Helpline at 1-800-949-2732, leave a message with your name, name of
your financial institution, and telephone number, and one of our staff will
return your call promptly.