The U.S. Federal Reserve and the New York Department of Financial Services in an enforcement action this week ordered China Construction Bank and its New York branch to significantly improve its compliance operations.

According to the agreement, the bank and the branch have 60 days to jointly submit a written enhanced compliance program in the areas of Bank Secrecy Act and anti-money laundering (BSA/AML) compliance, customer due diligence, and suspicious activity reporting and monitoring. It must also enhance its internal audit program.

The components of that agreement are discussed in detail below.

BSA/AML Compliance

At a minimum, the BSA/AML program must include the following elements:

A system of internal controls designed to ensure compliance with BSA/AML requirements and state regulations;

Internal controls designed to ensure compliance with all requirements relating to correspondent accounts for foreign financial institutions;

A comprehensive BSA/AML risk assessment that appropriately identifies and considers all products and services of the branch, customer types and geographic risks, as appropriate, in determining inherent and residual risks;

Internal controls to ensure that the data received by the branch’s BSA/AML monitoring system is complete and interpretable by the system; and

Effective training for all appropriate branch personnel and appropriate personnel of affiliates that perform BSA/AML compliance-related functions for the branch in all aspects of the BSA/AML requirements, state regulations, and internal policies and procedures.

Customer Due Diligence

At a minimum, the customer due diligence program must include the following elements:

A revised methodology for determining risk ratings for account holders that considers factors such as type of customer, type of products and services, and geographic location;

Policies, procedures, and controls to ensure that foreign correspondent accounts, including, but not limited to affiliates, are accorded the appropriate due diligence, and where necessary, enhanced due diligence; and

Periodic reviews and evaluations of customer and account information for the entire customer base to ensure that information is current, complete, and that the risk profile reflects the current information, and if applicable, documenting rationales for any revisions made to the customer risk rating.

Suspicious Activity Monitoring

At a minimum, the suspicious activity monitoring and reporting program must include the following elements:

A well-documented methodology for establishing monitoring rules and thresholds appropriate for the Branch’s profile which considers factors such as type of customer, type of product or service, geographic location, and foreign correspondent banking activities, including U.S. dollar clearing activities;

Policies and procedures for analyzing, testing, and documenting changes to monitoring rules and thresholds;

Enhanced monitoring and investigation criteria and procedures to ensure the timely detection, investigation, and reporting of all known or suspected violations of law and suspicious transactions;

Policies and procedures to ensure all necessary customer and transactional data is collected from across all business lines and is aggregated into an appropriate transaction monitoring system to ensure comprehensive suspicious activity monitoring;

Identification and remediation of data deficiencies in cross border cover

payment messages;

A timeline to review key systems and to remediate deficiencies; and

Measures to ensure BSA/AML issues are appropriately tracked, escalated, and reviewed by the branch’s senior management.

Within 30 days of this agreement, the bank must also engage an independent third-party acceptable to conduct a review of the branch’s U.S. dollar clearing transaction activity from July 1, 2013 to Dec. 31, 2013 “to determine whether suspicious activity involving high risk customers or transactions at, by, or through the branch was properly identified and reported in accordance with applicable suspicious activity reporting regulations,” the agreement stated. Furthermore, it must prepare a written report detailing the independent third party’s findings.

The agreement also directs the bank to enhance its internal audit program that must, at a minimum, provide for “timely escalation and resolution of audit findings and follow-up reviews to ensure completion of corrective measures,” and “comprehensive tracking and reporting of the status and resolution of audit and examination findings to the bank’s board of directors.”