9 keys for evaluating BSA/AML efforts

Time to take a closer look at your bank's money laundering program—before you get hung out to dry.

As the swells of the foreclosure crisis subside, financial institutions are well-advised to kindle a renewed focus on their ever-evolving Bank Secrecy Act (BSA) and anti-money laundering (AML) responsibilities. Recent high-profile enforcement actions have put this issue on the front page--literally and online--and highlighted not only failures on the part of financial institutions but also systemic examination deficiencies on the part of regulators.

The primary regulatory drivers of change today are five key weaknesses detailed in a report issued by the U.S. Senate. The report's critique of the regulators included: 

1. Treating AML deficiencies as a consumer compliance issue, instead of a management issue.

2. Unnecessarily restricting citations of AML program violations.

3. Failing to match narrowly focused AML examinations with broader reviews.

4. Failing to make better use of formal and informal enforcement actions in the face of continuing AML problems.

5. Issuing supervisory letters that sometimes did not accurately convey the AML problems identified in examinations.

In response to these criticisms regulators have implemented a number of strategic and tactical measures. AML practitioners must consider the operational effectiveness of their AML program and overall program maturity.

What's missing?

An examination of public enforcement actions for the five-year period ending Dec. 31, 2012, shows a striking pattern of deficiencies among common BSA/AML program elements, including training, policies and procedures, risk assessment, and basic know your customer (KYC) requirements.

Two enormous global banks, hit with fines of nearly $2.2 billion in damages, had one thing in common--both had inadequate and severe deficiencies in their AML compliance program. However, asset size should not be viewed as the litmus test for enforcement actions. Rather, the scrutiny cast upon these global institutions may just bring about the perfect storm for small and mid-tier financial institutions.

Large institutions not already cited have undoubtedly attacked this challenge with internal task forces, acquisition of key talent, and partnerships with specialized third parties. With this in mind, regulators may begin to turn their focus to small and mid-tier institutions that may not have made the necessary investment to ensure that a comprehensive risk-based AML program exists and is fully capable of withstanding regulatory scrutiny.

Furthermore, this public scrutiny of the failures in global institutions' AML programs, the enormous fines levied, and the hard work that has resulted have not gone unnoticed. Launderers will undoubtedly turn to institutions outside of major financial centers and leverage products and services historically not associated with traditional money laundering schemes.

For those institutions not facing the challenges presented by enforcement actions, the best defense is a good offense, and the first step is to examine the operating effectiveness of the institution's AML program. This process begins with a thorough examination of fundamental program elements, including governance, knowledge management, control environment, data analytics, and the institution's risk assessment. Once complete, examination should continue with the AML program itself, which includes customer profile, transaction monitoring, alert management, and program reporting.

Framework for improvement

The following provides a detailed list of the critical BSA/AML program elements that should be considered during the bank's assessment process:

1. Governance

• • Board communication process
• • Role of BSA/AML in broader compliance / ERM program
• • Communication of BSA/AML risks and risk assessment results across the enterprise
• • Individual line of business AML compliance responsibilities
• • BSA/AML department staffing, roles, and responsibilities

2. Knowledge Management

• • Policy and procedure development, review and update process
• • Declarative policy enforcement
• • Process for monitoring external regulatory developments and corresponding program updates
• • Training development, delivery, and oversight process
• • Use of job aids for key risk positions

3. Control Environment

• • Independence of the audit function
• • Auditor BSA/AML training requirements
• • Linkage of control environment to BSA/AML risk assessment
• • Quality Assurance/Quality Control process
• • Maintenance of a comprehensive BSA/AML control inventory
• • Operating effectiveness (vs. design effectiveness) validation process
• • Risk model validation process

4. Data Analytics

• • Single customer view capability
• • BSA/AML risk models and supporting data
• • Data validation process
• • AML KRI Inventory
• • BSA/AML technology system review

5. Risk Assessment

• • BSA/AML risk assessment methodology
• • Risk factor universe
• • Assessment scope and rationale
• • Data/control collection mechanism
• • Use of quantifiable data to support risk decisions
• • Assessment frequency and interim assessment capabilities
• • Alignment to organizational Risk Appetite and Tolerance
• • Residual risk remediation process

6. Customer Profile

• • KYC/CIP policies, procedures, and processes across lines of business
• • Customer risk model and alignment to BSA/AML risk assessment
• • EDD customization to different high risk customer types
• • Customer risk model calibration process
• • Management exception process
• • Customer exit process

7. Transaction Monitoring

• • Automated and manual transaction monitoring systems
• • Coverage assessment of scenarios to risk assessment
• • Scenario calibration process
• • High-risk jurisdiction methodology

8. Alert Management

• • Referral process and prioritization
• • Investigation process
• • Department timing controls
• • Case management capability
• • Escalation process
• • SAR decision process
• • Department metrics (e.g., capacity to close)
• • Separation of duty controls
• • Document retention

9. Program Reporting   

• • Board reporting process
• • Senior Management and Line of Business reporting process
• • Blocked party reporting
• • Section 314(a) and (b), 311, 312, and 319(b) process
• • Subpoena process
• • Suspicious Activity Report filing

Next steps

At the conclusion of this assessment, management will have a prioritized list of AML program elements requiring attention. This list then serves as the foundation upon which to build a detailed project plan for improvement. More importantly, it demonstrates to regulators a strong culture of compliance and commitment to the proactive management of the institution's AML program.

The mark of a successful AML program is its capability of addressing constant changes in business products and services. Periodic modifications to the AML program and procedures are of normal occurrence and is essential to the ever-changing revisions to regulatory standards.

Institutions are well-advised to gain their bearing by performing an assessment of their AML program's operational effectiveness and by proactively managing the outcomes, whatever they may be.

By Michael Florence, AML senior director at Treliant Risk Advisors