Let’s review the top BSA/AML compliance questions asked by mortgage professionals.

1. What is BSA/AML in mortgage lending?

BSA stands for the Bank Secrecy Act. AML stands for Anti-Money Laundering. In mortgage lending, BSA/AML compliance refers to the policies, procedures, controls, training, monitoring, escalation, and reporting processes used to help prevent a mortgage company from being used for money laundering, terrorist financing, fraud, or other illegal activities.

For mortgage companies, BSA/AML compliance is not limited to cash transactions. It includes reviewing suspicious borrower activity, unusual source of funds, identity concerns, third-party involvement, rapid property transfers, and other red flags that may appear during the mortgage loan process.

2. Do the BSA rules apply to mortgage companies and mortgage brokers?

Yes, BSA/AML rules apply to covered non-bank residential mortgage lenders, mortgage brokers and residential mortgage loan originators. A mortgage company should not assume that BSA/AML compliance applies only to banks.

Covered mortgage companies must maintain a written BSA/AML program and file Suspicious Activity Reports when required. These obligations are part of the company’s overall compliance responsibility and should be integrated into the company’s mortgage loan origination, processing, underwriting, closing, quality control, and management oversight processes.

3. Do BSA rules apply to RMLOs?

Yes, BSA/AML rules can apply to residential mortgage lenders and mortgage loan originators based on the activities they perform. This is not a new rule, it has been in effect since 2012. In February 2012, FinCEN published the Final Rule requiring non-bank Residential Mortgage Lenders and Originators (RMLOs) to establish BSA/AML programs and file Suspicious Activity Reports (SARs). The effective date of this final rule was April 16, 2012. With the official compliance date for all non-bank mortgage lenders and originators to have a BSA/AML Compliance Program in place as of August 13, 2012.

4. What type of mortgage loans are covered under BSA/AML rules?

BSA/AML mortgage rules generally apply to residential mortgage loans. This includes loans secured by a mortgage, deed of trust, or similar security interest on a residential structure containing one to four units, or residential real estate where such a structure is located or intended to be constructed.

This can include single-family homes, condominiums, cooperative units, mobile homes, and residential real estate intended for one-to-four family construction.

5. What is the purpose of an AML program?

The purpose of an AML program is to help the company identify, escalate, review, document, and report suspicious activities. A strong AML program gives employees a clear process for recognizing red flags and knowing what to do when something appears unusual or suspicious.

An AML program also helps protect the company from regulatory, investor, wholesale lender, legal, and reputational risk. It should not be a generic policy. It should be tailored to the company’s business model, products, markets, loan channels, employees, branches, referral sources, third-party providers, and overall risk profile.

6. What are the required components of a mortgage AML program?

A mortgage AML program should include four core components.

First, the company must have written policies, procedures, and internal controls based on its money laundering and terrorist financing risks.

Second, the company must designate a compliance officer responsible for overseeing the AML program and ensuring it is implemented effectively.

Third, the company must provide ongoing training to appropriate employees, agents, and brokers.

Fourth, the company must conduct an independent audit to monitor and maintain an adequate program.

7. What is an AML policy for mortgage brokers?

An AML policy for mortgage brokers is the written program that explains how the broker identifies, escalates, reviews, and reports suspicious activity. It should be specific to the broker’s actual loan activities and should not be limited to a generic template.

A strong AML policy for mortgage brokers should address risk assessment, internal controls, employee responsibilities, red flag identification, source-of-funds concerns, SAR escalation, SAR confidentiality, OFAC considerations, third-party oversight, training, independent audit, and record retention.

8. What is a BSA/AML risk assessment?

A BSA/AML risk assessment identifies where the company may be exposed to money laundering, terrorist financing, fraud, sanctions, or suspicious activity risk. It should consider the company’s products, services, borrowers, geographic markets, origination channels, branches, remote employees, referral partners, third-party providers, and source-of-funds risks.

The risk assessment should drive the company’s controls. A higher-risk company should have stronger review procedures, more targeted training, more detailed escalation requirements that matches the company’s risk profile.

9. When a mortgage company hires a third-party provider, who is responsible for BSA/AML compliance?

The mortgage company remains responsible for its BSA/AML compliance obligations. A third-party provider may assist with training, independent audit, risk assessments, OFAC screening, policy support, or consulting, but outsourcing a task does not transfer the company’s responsibility.

The company should perform due diligence before selecting a provider, define responsibilities in writing, monitor the provider’s performance, and make sure the BSA/AML compliance officer maintains oversight of any outsourced compliance functions.

10. Can a mortgage company outsource BSA/AML training?

Yes, a mortgage company may use a competent third-party provider for BSA/AML training. However, the training should still be appropriate for the company’s products, services, employees, agents, brokers, and risk profile.

The company should retain documentation showing who completed training, when the training occurred, what topics were covered, and whether the training addressed mortgage-specific suspicious activity risks.

11. Is BSA/AML training required for mortgage companies?

Yes, a covered mortgage company’s BSA/AML program must provide ongoing training for appropriate persons concerning their responsibilities under the program.

Training should be practical and mortgage-specific. Loan originators, processors, underwriters, closers, compliance staff, branch managers, and senior management may all encounter different red flags. Training should explain how to recognize suspicious activity, how to escalate concerns, how to protect SAR confidentiality, and how the company documents its process.

12. Is a BSA/AML Certificate of Completion required?

A specific BSA/AML certification is not required for every mortgage employee. However, documented BSA/AML training is required for appropriate persons under the company’s BSA/AML program.

Certificates can be helpful for compliance officers, auditors, consultants, and employees with higher-risk responsibilities, but a certificate is not a substitute for an effective AML program. The company still needs written procedures, risk-based controls, training, independent testing, documentation, and management oversight.

13. What is an AMLCO?

The Anti-money laundering compliance officer aka the AMLCO is the responsible individual within the company that keeps them compliant with all the BSA/AML regulations. The BSA/AML compliance officer should understand the company’s BSA/AML program, SAR requirements, red flag escalation, SAR confidentiality, record retention, vendor oversight, independent audit, corrective action tracking, and management reporting.

The BSA officer should also understand how the company’s loan products, branches, remote employees, referral sources, third-party providers, geographic markets, and business model affect the company’s BSA/AML risk.

14. What are some common mortgage-related BSA/AML red flags?

Common mortgage-related red flags may include unexplained source of funds, sudden large deposits, third-party funds without a clear relationship, inconsistent borrower information, suspected straw buyers, occupancy inconsistencies, identity concerns, unusual gift funds, unverifiable employment, undisclosed liabilities, rapid property flips, inflated values, and reluctance to provide documentation.

A red flag does not automatically mean a Suspicious Activity Report must be filed. It means the company should review the facts, document the concern, determine whether there is a reasonable explanation, and escalate the matter according to the company’s BSA/AML procedures.

15. What is a Suspicious Activity Report?

A Suspicious Activity Report, commonly called a SAR, is a report filed with FinCEN when a covered mortgage company detects suspicious activity that meets the reporting requirements.

In mortgage, a SAR may be required when a transaction involves or aggregates at least $5,000 and the company knows, suspects, or has reason to suspect that the transaction involves illegal funds, is designed to hide or disguise funds, is structured to evade reporting requirements, has no apparent lawful purpose, or involves the use of the company to facilitate criminal activity.

16. When must a SAR be filed?

A SAR generally must be filed within 30 calendar days after the company initially detects facts that may form the basis for filing. Mortgage companies should have internal escalation timelines that allow enough time for review, documentation, and filing before the deadline.

17. Can the borrower be told that a SAR was filed?

No, SAR confidentiality is a critical requirement. A mortgage company, its employees, officers, directors, and agents must not disclose a SAR or information that would reveal the existence of a SAR to the person involved in the suspicious activity.

Employees should be trained never to tell a borrower, referral partner, real estate agent, loan officer, or other unauthorized party that a SAR has been filed or is being considered.

18. Is every fraud concern a SAR?

No, not every fraud concern automatically requires a SAR. A concern should be reviewed under the company’s BSA/AML procedures to determine whether it meets SAR reporting requirements.

Some issues may be resolved with a reasonable explanation or additional documentation. Others may require escalation, investor notification, law enforcement contact, internal corrective action, or SAR filing. The key is to have a consistent process for identifying, reviewing, documenting, and escalating suspicious activity.

19. How is OFAC compliance different from BSA/AML compliance?

BSA/AML compliance focuses on identifying and reporting suspicious financial activity. OFAC compliance focuses on sanctions compliance, including screening parties and transactions to prevent prohibited dealings with sanctioned persons, entities, countries, or blocked property.

A mortgage company’s compliance program should address both. OFAC screening should include procedures for potential matches, false positives, unresolved matches, escalation, documentation, training, and periodic review.

20. What is a BSA/AML audit?

The BSA/AML audit refers to independent testing/review/audit. Independent testing is a review of the BSA/AML program to determine whether the written program is adequate and whether the company is following its procedures.

A BSA/AML audit or independent review should evaluate the company’s risk assessment, policies, training records, red flag escalation, SAR decision documentation, OFAC procedures, third-party oversight, record retention, management reporting, and corrective action tracking.

21. Who can perform a BSA/AML audit?

An independent review and audit should be performed by a professional that understands BSA/AML requirements, mortgage operations, suspicious activity reporting, and the company’s risk profile.

The BSA/AML compliance officer should not test their own work. The purpose of independent audit is to provide objective feedback to management about whether the BSA/AML program is operating effectively.

22. How long must mortgage companies retain BSA/AML records?

The BSA/AML record retention period is five (5) years for records required to be retained. For SARs, a loan or finance company must retain a copy of the SAR and supporting documentation for five (5) years from the date of filing. SARs and supporting documentation should be stored securely. SARs and any information that would reveal the existence of a SAR must remain confidential.

23. What are common BSA/AML compliance mistakes mortgage companies make?

Common mistakes include using a generic BSA/AML policy, failing to update the risk assessment, not training loan-level staff, not documenting red flag reviews, misunderstanding SAR confidentiality, treating OFAC screening as a simple checklist item, failing to monitor third-party providers, and not having an independent audit.

Another common weakness is failing to integrate branches, remote employees, brokers, processors, underwriters, and third-party providers into the BSA/AML program. A written policy is not enough. The program must operate inside the company’s actual loan process.

24. What should senior management do to support BSA/AML compliance?

Senior management should approve the BSA/AML program, provide resources, assign responsible personnel, support escalation decisions, review risk assessment results, respond to independent audit findings, and ensure corrective action is completed.

An effective BSA/AML program depends on management commitment. Employees need to know that suspicious activity concerns should be escalated and documented, even when a loan is close to closing or a referral source is important to the business.

25. What should a mortgage company do now to strengthen BSA/AML compliance?

A mortgage company should review its BSA/AML policy, update its risk assessment, confirm the AML compliance officer has proper authority, verify training records, test red flag escalation procedures, review vendor oversight, confirm SAR decision documentation, and schedule an annual independent audit

Conclusion

BSA/AML compliance is a core part of mortgage compliance. A strong program helps mortgage companies identify suspicious activity, protect the integrity of loan transactions, comply with reporting obligations, and reduce regulatory, investor, legal, and reputational risk.

For mortgage lenders, mortgage brokers, and residential mortgage loan originators, the best approach is practical and risk-based: know your risks, train your staff, document your reviews, protect SAR confidentiality, monitor third-party providers, test the program, and update procedures when the business or regulatory environment changes.

Please contact us at Mortgage Education Institute with questions, and to see how we can help your company with your Annual BSA/AML Audit, Policies and Procedures, Compliance Trainings, or any of our other Compliance Support Services.

Need an updated BSA/AML Policy: https://mortgageeducationinstitute.com/product/bsa-aml-policy-and-procedures/

Mortgage Compliance Policies and Procedures: https://mortgageeducationinstitute.com/compliance-manuals/