November 16, 2005

Communications Division
Office of the Comptroller of the Currency
Public Information Room
Mailstop 1-5
250 E Street, SW
Washington D.C. 20219

Attention: 1557-0231

Re: Information Collection–Bank Secrecy Act/
      Anti-Money Laundering Risk Assessment, OMB No. 1557-0231
      70 FR 54982 (September 19, 2005)

Dear Sir:

America’s Community Bankers (ACB) is pleased to respond to the Office of the Comptroller of the Currency’s (OCC) request for comment on the amount of time necessary for a national bank to demonstrate that it has updated its Bank Secrecy Act (BSA) risk assessment to address new products and services, changes in existing products and services, and growth of the institution. The OCC’s request for comment is required by the Paperwork Reduction Act of 1995.

The OCC estimates that a national bank spends 10.46 hours each year to meet this requirement. This is only an estimate of the time it takes an institution to comply with the OCC’s information collection. It does not include the time necessary to actually conduct a BSA risk assessment. ACB offers the following comments regarding the OCC’s estimate.

ACB Position

ACB generally agrees with the OCC’s estimate of time a national bank will spend completing paperwork requirements associated with a BSA risk assessment information collection. However, ACB emphasizes that the regulatory burden associated with such information collections involves far more than simply complying with a paperwork requirement. Before a community bank can thoroughly respond to the OCC information collection, the institution must spend many hours over the course of an exam cycle studying its money laundering risk exposure and updating its anti-money laundering program risk assessment.

The anti-money laundering risk assessment is the foundation of a community bank’s BSA program. After the USA Patriot Act was enacted, community banks evaluated business lines, customers, and geographic locations for potential money laundering risk. This process helped depository institutions identify gaps in their anti-money laundering programs and implement internal controls to mitigate money laundering risk. However, the risk assessment exercise does not end once a board of directors adopts a written BSA program. The federal banking agencies have emphasized that the BSA risk assessment must be an ongoing process; it cannot be an event.

Therefore, responding to the information collection requirement is more involved than simply completing a form. An institution must spend a significant amount of time and resources analyzing risk and updating the risk assessment before it is able to respond to a BSA risk assessment information collection.

• Many community banks conduct a BSA risk assessment before rolling out a new product. Bank employees research BSA risks and may modify a new product or adjust internal controls accordingly. Increasingly, examiners expect institutions to document how internal controls influence the BSA risk rating assigned to a particular product or service. This must be reflected in the updated BSA risk assessment.
   
• Community bank staff must continually be on the lookout for new BSA risks that develop for existing products and services. For instance, FinCEN and law enforcement recently raised concerns about the money laundering risk posed by stored value cards, but offered little in the way of guidance for addressing the risks associated with this product.
   
• Community banks closely monitor the money laundering risk for existing business lines that often are a growing segment of an institution’s balance sheet. For example, one ACB member analyzes the BSA risk posed by its business customers every quarter (in addition to suspicious activity monitoring). This community bank is growing its commercial banking business and wants to ensure that its risk analysis keeps pace with the bank’s growth in this area.
   
• Institutions evaluate money laundering risk when entering new markets, including new geographic locations and new kinds of customers.
   
• Community banks report that federal regulators require institutions undergoing a merger or acquisition to closely assess the BSA risk posed by these transactions.

Conclusion

ACB understands that the OCC’s estimate of the amount of time required to respond to a risk assessment information collection does not include the time to actually conduct and update the risk assessment. However, we believe it is important to reiterate that the actual compliance burden associated with updating a risk assessment is significant.

For many community banks, the cumulative burden of all BSA-related compliance requirements is difficult to manage. Because regulators are focused on BSA compliance, community banks are spending significant amounts of time and money to employ additional staff, hire consultants, and purchase account monitoring software to ensure that their BSA compliance programs are current and board approved.

This burden has become more pronounced now that the banking regulators expect institutions to review BSA risk on an ongoing basis. As a practical matter, we believe that all community banks, especially those with more complex product offerings or institutions in certain geographic locations, must devote more than 10.46 hours to be able to comply with the OCC’s information request.

Thank you for the opportunity to comment on this important matter. Should you have any questions, please contact the undersigned at 202-857-3187 or [email protected]

Sincerely,

Krista J. Shonk
Regulatory Counsel

cc: Mark Menchik, OMB Desk Officer
      Office of Management and Budget