AL 2000-3
OCC ADVISORY LETTER
Comptroller of the Currency
Administrator of National Banks
Subject:  Bank Secrecy Act Compliance Programs--Suspicious Activity
          Reporting Requirements 
Description: Common BSA Compliance Deficiencies

Under 12 CFR 21.21, banks must have adequate internal controls,
independent testing, responsible personnel, and training to comply with
the Bank Secrecy Act (BSA), including suspicious activity reporting.
Failure to establish and maintain adequate systems and controls can expose
banks to supervisory and enforcement actions as well as significant legal
and reputation risks.

During the past several years, the Office of the Comptroller of the
Currency (OCC) conducted specialized BSA/anti-money-laundering
examinations that identified a number of common BSA compliance
deficiencies. Generally, the OCC noted that banks had good currency
transaction reporting (CTR) programs but lacked adequate systems and
controls to ensure timely suspicious activity reporting.  The OCC found
that some banks failed to adequately

* Document and evaluate new, high-risk accounts for money laundering;

* Establish controls and review procedures for high-risk services;

* Monitor high-risk accounts for money laundering, including transactions
  that far exceeded the normal range of activity for such accounts;

* Conduct adequate independent testing of high-risk accounts for the
  possibility of money laundering;

* Train employees to detect suspicious activity in high-risk areas like
  pouch and wire transfer transactions, particularly to/from known drug
  source or money-laundering havens; and

* Review CTR filing patterns for suspicious activity.

As a result, a number of suspicious activity reports were not timely
filed.  High-risk services identified during these examinations included
monetary instrument, international pouch (cash letters), deposit broker,
and international wire transfer transactions.  High-risk accounts
identified included money services businesses, offshore private investment
companies, non-discretionary private banking and international
correspondent banking customers.

In some BSA audits, independent testing was limited to reporting and
record keeping for CTR compliance with little, or no, attention to
suspicious activity reporting compliance.  Reviewing high-risk accounts
for the possibility of suspicious activity is an essential part of a sound
BSA compliance program.  Internal and external audit scopes should include
a review of the bank's systems, controls, and CTR and suspicious activity
report filing patterns.

CTR reviews offer an efficient way to detect suspicious cash activity.
Cash transactions well outside the range of a customer's normal or
expected account activity should be reviewed for the possibility of
suspicious activity.  In many cases, automated CTR systems also allow
banks to efficiently monitor cash activity to determine whether a single
cash sum exceeding $10,000 dollars is broken down into smaller amounts or
if cash activity is conducted in a series of transactions at or below
$10,000.

While the OCC recognizes that BSA programs vary from bank to bank, or
product line to product line, in accordance with risk levels, banks must
have internal controls to detect and timely report suspicious activity.
Banks should apply reasonable judgement and elevated account-opening and
suspicious activity-monitoring controls to high-risk accounts, including
the types of businesses set forth in 31 CFR 103.22(d)(6)(viii), whenever
necessary.  Internal control processes, whether in-house or out-sourced,
should mitigate the inherent risk of any high-risk account, product, or
service that could be misused for money laundering.  Banks should ensure
that

* Internal controls, including account opening and documentation
  procedures and management information/monitoring systems adequately
  detect and report suspicious activity in a timely manner;

* Audit processes are risk based; specifically target high-risk accounts
  and services; and include independent testing of bank systems, controls,
  and CTR and suspicious activity report filing patterns;

* Training programs address the possibility of suspicious activity in all
  bank departments, with emphasis on high-risk accounts, products,
  services, and geographical locations; and

* CTR review procedures capture and report suspicious activity.

If you have any questions, please refer to the OCC's "Bank Secrecy Act"
booklet in the Comptroller's Handbook for Compliance for guidance on
high-risk accounts and services on our Website (www.occ.treas.gov),
contact your supervisory office, or telephone the Community and Consumer
Policy Division BSA staff at (202) 874-4428.





_____________________________________
Ralph E. Sharpe
Deputy Comptroller
Community and Consumer Policy 

Date:  April 25, 2000