Financial Institutions ought to design and evaluate compliance programs to meet BSA/AML requirements and to satisfy Bank Examiner expectations. A Financial Institution’s Compliance Programs must comply with the requirements under Title 31 and, at a minimum, must include the five (5) Pillars of AML:
(1) A system of internal controls to assure ongoing compliance;
(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;
(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;
(4) Training for appropriate personnel; and
(5) Appropriate risk-based procedures for conducting ongoing customer due diligence.
Who conducts the Independent Testing?
Independent testing (also known as an audit) ought to be conducted by an internal audit department, outside auditors, consultants, or other qualified independent parties. Financial Institutions may hire outside auditors or consultants. They could also have their own internal audit departments comply with the requirement of independent testing by using qualified individuals that are NOT involved with the function being tested. Meaning, that when independent testing is performed by internal resources, it should NOT be performed by a person that performs the function being tested, an “internal” compliance or AML person, and all those employees that report into the function. When independent testing is performed internally, management is responsible for determining if the person conducting the testing is knowledgeable, independent, has credentials and is free of conflicts.
If independent testing is performed by an outside third party, an engagement letter or contract ought to be agreed upon outlining the responsibilities and duties of the third party as well as provisions that state that the audit report is the property of the Financial Institution.
An effective compliance program will consider a Financial Institution’s size, activities, complexity, risk profile, geography and internal controls
An effective “risk-based” compliance program will test all of a Financial Institution’s activities. Independent testers document audit scope, procedures performed, transaction testing completed, and review the conclusions. All of the audit documentation workpapers should be available for the Independent tester to review. Deficiencies and or violations noted in a review need to be reported to the Financial Institution’s Board of Directors and corrective actions documented.
What does Independent Testing Include?
• Evaluation of the overall integrity and effectiveness of a BSA/AML compliance program, including policies, procedures, and processes.
• Review of a Financial Institution’s risk assessment for reasonableness given its risk profile (this includes products, services, customers, and geography).
• Appropriate risk-based transaction testing to verify a Financial Institution’s adherence to the BSA.
• Recordkeeping and reporting requirements.
• Evaluation of management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations.
• Review of staff training.
• Review of the effectiveness of suspicious activity monitoring systems.
• Assessment of the overall process for identifying and reporting suspicious activity.
Partnering with a Third Party before Independent Testing Takes place can help your Preparation
As discussed earlier in this article, a Financial Institution’s BSA/AML Compliance Program ought to meet the minimum standards required and industry best practices. A Board of Directors’ well-developed culture of compliance directed from the Board down is critical to a Financial Institution’s commitment to good corporate governance. A partnership with a qualified Third Party can assist Financial Institutions with:
• Training an Institution’s internal resources – including compliance staff, Board and Senior management and general staff.
• Implementing or validating a corrective action plan.
• Reevaluating BSA/AML and OFAC compliance risks associated with products and services offered; particularly with new clients.
Don’t be a Victim of Your Own Making
Financial Institutions that obtain assistance prior to independent testing of a BSA/AML and OFAC Compliance Program will have an edge when completing their BSA/AML and OFAC Risk Assessment, review and update BSA/AML and OFAC Policies & Procedures and leverage internal resources.