What Does It Take to Run a BSA Program? Not Much, According to the FDIC

Unfortunately, the FDIC’s estimate of the time and effort it takes to run a BSA/AML compliance program is … laughable.

Let’s start with some background information.

FDIC-Supervised Banks

There are about 5,200 FDIC-insured banks in the United States. And the FDIC is the primary regulator for about 3,340 of these banks – those that are “state-chartered”.

The FDIC has placed those banks into three buckets, based on their size (as measured by total assets of the bank. Note that loans are always the biggest category of asset that banks have on their books, and the asset “loans” is generally offset by the liability of “deposits” … balance sheets of most banks aren’t that complicated).

  • Small Institutions – are those with assets of less than $500 million. About 75% of state-chartered and FDIC-supervised banks, or 2,523 banks, are in this category. FDIC data suggests that the average bank in this category has 40 to 50 employees.
  • Medium Institutions – are hose with assets between $500 million and $10 billion. About 23% of state-chartered and FDIC-supervised banks, or 774 banks, are in this category. FDIC data suggests that the average bank in this category has about 270 employees.
  • Large Institutions – are those with assets of more than $10 billion. Only about 2% of state-chartered and FDIC-supervised banks, or 47 banks, are in this category. FDIC data suggests that the average bank in this category has about 2,500 employees.

One other bench mark. A full-time employee, or FTE, has about 250 work days in a year (52 weeks, 5 days a week, less 10 statutory or legal holidays). Let’s also assume they take four weeks vacation – so we’re at about 230 days.  At 8 hours a day, that’s 1,840 hours. To keep the math simple, let’s use 1,800 hours as the bench mark for how many hours any one employee, or FTE, has available in a year.

Bank Secrecy Act (BSA) Program Requirements

All financial institutions in the United States – banks, credit unions, broker dealers, insurance companies, check cashers, and more – are required to have written BSA compliance programs. The requirements around these programs are so onerous that the regulatory agencies have published a manual that gives their examiners a roadmap on how to examine or supervise those institutions to ensure they do, in fact, have adequate programs. That manual, the FFIEC BSA/AML Examination Manual, is now over 420 pages long.

What are the program requirements? As the FDIC notes, the banks it supervises must “establish and maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X. Respondents must also provide training for appropriate personnel.” The Manual gives some more detail. Banks must do a risk assessment to understand their customer, product and service, and geographical risks. That risk assessment must be updated as the bank’s profile changes over time. Banks must also have a Customer Identification Program, or CIP. Banks must have a written, board-approved program that includes, at a minimum, certain “pillars” – preventive and detective controls, a BSA compliance officer, independent testing or auditing of the program, and training. And those preventive and detective controls include the ability to monitor for, and alert on, unusual activity, and to investigate and report suspicious activity.

How Much Time Does it Take to Build and Maintain a BSA Compliance Program?

Let’s use a “Medium” institution as a benchmark. Those are the 774 FDIC-supervised institutions that have about 270 employees, on average. We’ll also assume that they have a full-time BSA Officer with a staff of four people. Those five people are responsible for writing policies and procedures and distributing those down to the business and operations people; for establishing customer onboarding requirements; for setting up and maintaining the transaction monitoring systems; for generating and dispositioning any alerts from those systems; for investigating and reporting possible suspicious activity; for designing and conducting training for the other 265 employees; for managing the audits and FDIC examinations of the program; and for doing the required reporting to senior management and the board.

Those five people can’t do everything themselves. They depend on front-line staff to onboard customers and handle the documentation of transactions. They depend on the audit group for the independent testing. The in-house law department is likely involved and providing legal and compliance-related advice. So let’s assume that there may be 20 or 30 other people that spend 20% of their time managing one or more aspects of the BSA/AML compliance program. That’s another 5 FTE. So we’re up to 10 FTE.

10 FTE is 18,400 hours of time. And let’s not forget training. Assume that everyone goes through 1 hour of training a year. Now we’re up to 18,670 hours of time. It’s probably safe to build in a 5% +/- cushion, in case these estimates are off a little bit. And it makes the math easier. It’s fair to say that …

A medium-size bank will spend 20,000 hours a year running its BSA/AML compliance program

What about small and large banks? If we simply extrapolate the 20,000 hours for the average medium-sized bank out to the average small and large bank, we’d get the following estimates:

Small Bank – 3,700 hours or 2 FTE to run a BSA/AML compliance program

Medium Bank – 20,000 hours or 10 FTE to run a BSA/AML compliance program

Large Bank – 185,000 hours or 100 FTE to run a BSA/AML compliance program

What does the FDIC have to say about that?

According to the FDIC, a bank will spend between 35 and 450 hours a year running its BSA/AML compliance program!

What?

On June 2, 2020, the FDIC published a request for comment in the Federal Register – https://www.govinfo.gov/content/pkg/FR-2020-06-02/pdf/2020-11855.pdf. The FDIC, as part of its obligations under the Paperwork Reduction Act of 1995 (PRA), invited the general public and other Federal agencies to comment on the renewal of the then-existing burden on FDIC-supervised banks to “establish and
maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X” and to “provide training for appropriate
personnel.”

At that time, here’s what the FDIC estimated were the burdens for its supervised banks:

As can be seen here, the FDIC estimated that the burden on 75% of its supervised banks – the smallest banks – was 35 hours a year. That’s one person spending less than one week a year to run a BSA/AML compliance program – all the policies, procedures, customer onboarding, monitoring, investigating, reporting, auditing, and examining. And for the largest banks, where, if you believe my estimate that it takes the equivalent of about 185,000 people-hours to run a BSA/AML compliance program, the FDIC estimates that it takes about 0.2% of that time to actually run the program.

There’s a disconnect.

But, as the FDIC points out in its most recent Federal Register notice, which will be formally published tomorrow (August 7, 2020) but is available today (August 6th), it didn’t receive any comments from the private or public sector about its estimates of the burden of running a BSA/AML compliance program! See https://s3.amazonaws.com/public-inspection.federalregister.gov/2020-17330.pdf

But there is still an opportunity to comment. The FDIC is giving us another 30 days to submit comments. I encourage people to do so.