Response to Public Comments

Response to Public Comments

Commenter issues fell into three general categories: consistency with the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (Exam Manual) and Federal Bank Agency (FBA) implementation; regulatory burden; and redundancy of information in relation to the risk assessment process. In addition, one commenter requested that OMB reduce the two-year renewal request to one year and one other commenter requested the elimination of data reconcilement requirements.

Consistency with BSA Exam Manual and FBA Implementation

We do not agree with the commenter assertions that the Office of the Comptroller of the Currency’s (OCC) Money Laundering Risk System (MLR) is in conflict with the Exam Manual or its implementation by the FBAs. To the contrary, we believe that the MLR is entirely consistent with the Exam Manual and its implementation and, in fact, greatly facilitates the requirement in the Exam Manual for banks to conduct a risk assessment, as well as the risk-based supervisory approach endorsed by all of the FBAs.

Under 12 CFR 21.21, national banks are required to develop and provide for the continued administration of a program reasonably designed to assure and monitor their compliance with the Bank Secrecy Act (BSA) and Treasury Regulations at 31 CFR 103. The compliance program must be in writing, approved by the board of directors and noted in the minutes (this requirement is currently approved by OMB under control no. 1557-0180). Critical to the development of a bank’s BSA compliance program is the development of internal controls designed to address the risks unique to the bank. Banks design appropriate internal controls and the BSA compliance program based on their risk assessment.

The Exam Manual, originally published June 30, 2005, outlines FBA risk assessment expectations (see pages 18 – 27, 2007 edition). Specifically, it states that “[t]he bank should consult with all business lines in developing the risk assessment. The risk assessment process should weigh a number of factors, including the risk identification and measurement of products, services, customers, and geographic locations.” The MLR follows the same risk assessment principles as detailed within the Exam Manual. The MLR requests identification and measurement information of bank related products, services, customers, and geographic locations. In sum, there is no inconsistency between the MLR and the Exam Manual.

In addition to imposing a risk assessment requirement on banks, the Exam Manual requires examiners from all the FBAs, to evaluate a bank’s risk assessment during each examination cycle. FFIEC examination procedures require examiners to evaluate each bank’s risk assessment. The MLR allows the OCC to evaluate bank risk assessment related information on a systematic basis versus reviewing it examination by examination. This enhances OCC’s BSA/AML supervision by providing a more thorough and systematic method for examiners to assess a bank’s risk profile. It also assists examiners and OCC management in evaluating and determining examination scopes, and identifying areas where expanded examination procedures and transaction testing may be needed.

Regulatory Burden

We do not agree with the commenter assertions that the OCC’s MLR system causes excessive burden to complete. Moreover, because use of the MLR data facilitates the OCC’s risk-based supervisory approach, we believe that the MLR will actually reduce burden by allowing the OCC to concentrate its resources on those institutions presenting the greatest risk, while conducting more streamlined examinations at those institutions which do not.

The MLR requests risk assessment information already required by the Exam Manual (see regulatory expectations related to risk assessment and comments within the first section). Banks will be providing risk assessment information, via the MLR, that they should already possess. As a result, the burden to provide MLR information should not be significant and the burden estimates provided are considered reasonable. In fact, one commenter stated that “[w]e have not purchased new software or services to complete the MLR.” In other words, the bank was able to complete the MLR data collection using information it had compiled for their BSA/AML risk assessment.

One of the primary objectives of the MLR and realized outcomes is a reduction of burden on banks exhibiting lower risk attributes. OCC examiner resources and workdays dedicated to BSA/AML compliance supervision for the three years prior to the implementation of the MLR progressively increased each year. OCC examination workdays for community banks were 2,439 for 2003, 4,402 for 2004, and 11,116 for 2005. The MLR has significantly enhanced the OCC’s ability to differentiate risk within and between banks and focus resources on banks indicating higher risk. By evaluating bank risk information on a systematic basis examiner strategy development, examination scoping, and transaction testing has improved. OCC examination workdays for community banks decreased to 10,249 in 2006 and 6,694 for the first three quarters of 2007. Additionally, there is a strong correlation to the percentage of BSA/AML workdays of the level of BSA/AML risk of the community bank.

Redundancy of Risk Assessment Information

We do not agree with the commenter assertions that the MLR is redundant to the risk assessment process articulated in the Exam Manual. Rather, we believe that the MLR is entirely consistent with, and complements, the risk assessment requirement in the Exam Manual.

The MLR requests BSA/AML risk assessment information from community banks in a systematic manner to conduct analysis of BSA/AML risk within the OCC’s community bank portfolio. One commenter quoted the Exam Manual, stating, “[t]here are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format.” We agree that a bank’s BSA/AML risk assessment should be internally developed and individualized to specific bank needs, and the MLR does not take the place of the bank’s BSA/AML risk assessment. This fact has been articulated in guidance materials repeatedly since the MLR was implemented. However, while the MLR neither takes the place of the bank’s own risk assessment nor dictates its form, the types of information that banks are required to provide under the MLR are precisely the same types of information that banks typically gather in conducting their own risk assessments. Consequently, the MLR essentially requires banks to provide information that they already possess and collect.

Requirement for MLR Data to Reconcile

One commenter expressed concerns regarding the MLR requirement to reconcile number and dollar data on individual geographies respective to the parent MLR transaction data category. The OCC, in an effort to be responsive to our community bankers, has evaluated this feedback and has removed the reconcilement requirement for transaction type products, services, customers, and geographies.

Reduce OMB approved timeframe from 2 years to 1 year

The OCC requests another 2-year OMB approval.

In conclusion, the OCC requests approval of the Paperwork Reduction Act request, including the 2-year cycle. The MLR has enhanced our risk focused examination process and the ability of examiners and bank management to identify and evaluate BSA/AML risk associated with bank products, services, customers, and geographies, resulting in an overall reduction of OCC BSA examination workdays over the past two years. The MLR is consistent with FFIEC examination guidelines and procedures, does not place substantial burden on national banks, and is not redundant with the risk assessment requirements in the Exam Manual.