BSA/AML compliance as a Super Bowl

Investing in any kind of technology is a serious endeavor for any size financial institution. There are a multitude of considerations that need to be thought through and measured against internal needs. Finding a vendor that is in it to thoroughly understand your business and provide you with a solution that meets your on-going and evolving needs should have an organization contemplating several factors:

1. How long has the vendor been in business?

2. Does the vendor invest in the continual improvement of their solution and in their expertise?

3. What is their track record on service and support once the technology is implemented?

4. Do they have other solutions or products that can be used to meet your growing needs in your organization?

The answers to these four questions will be a huge indicator to whether a vendor will have skin in your entire business or game, to use a football analogy, and not just a quick sale, or rather the first quarter.

The essence of having skin in the game is ensuring that a project is managed by like-minded individuals from the vendor who share a vested interest in a successful outcome and don't walk away once the project is complete. The shifting regulatory environment and the increasingly difficult nature of exams have made the stakes high for both organizations and the technology vendors who provide them with solutions.

Is your current solution working?

It's been a decade since the USA PATRIOT Act was implemented and reinforced the importance of the Bank Secrecy Act's (BSA) requirement for financial institutions to have programs in place to detect and prevent financial crime and terrorist financing. Due to the need to meet the requirement to effectively monitor for unusual and suspicious activity, many financial institutions quickly invested in technology solutions to enhance their AML programs without looking ahead. During this last decade, however, the emphasis of the importance of having a robust and flexible technology solution has been seen in AML enforcement actions, through missed SARs and lack of emphasis surrounding a financial institution's risk.

Taking time to reevaluate if your solution still adequately meets your game plan should be a part of the self-testing of your program.

If your current solution no longer meets your needs and your program is filled with workarounds and manual testing, it is likely time to reassess whether unusual activity is being adequately (and efficiently) monitored.

Several factors can impact the diminished utility of AML solutions, including missed enhancements or wholesale outdated functionality. Additionally, there may have been a "changing of the guard," meaning the leadership or staff in place for the original implementation has since moved on and with them an understanding of the solution and its benefits.

If this is where you are, it is time to bring some AML experts or seasoned players back into the game: Have them evaluate whether your current technology shortfall can be attributed to shortcomings in system utilization or deficiencies in the system itself. Experts can determine whether you can do more to maximize your original investment or whether you need to start looking for a new solution. So what should the game plan look like to ensure no fumbles? It begins by ensuring you have the right roster of players.

Game officials: Regulators expect seasoned players on the field

Regulators expect institutions to demonstrate a solid AML compliance program during examinations.

This is no different than what game officials expect when refereeing a football game.

Again, this is a place where AML professionals must have expert players in the game during critical decisions about their AML solutions. Regulators expect internal experts to demonstrate how the solution advances the goals of their AML program down the field and when they don't, come the penalties. Just imagine the play if the quarterback steps out of the game when the team has the ball. This is the importance of playing throughout the game and ensuring your vendor does too.

First Quarter: The Assessment

To discover whether you as the quarterback are getting the most out of your current monitoring systems, have seasoned players (subject matter experts) review how you are utilizing your system and what functionality you are missing that may help you improve your AML program with your current system.

Seasoned players should first review your program and processes to get an understanding of how your system supports your AML program. It is equally as important to spend time with your line of scrimmage (analysts) to understand what functionality may not be currently used or needed.

Going through this process will help identify gaps in training or underutilization of a current system. It may also uncover a misunderstanding of how a system should perform or shed light on where a new process or system would be more effective. For example, expecting the back-end monitoring system to perform in a manner or gather data typically done in a front-end system is often a misunderstanding of a system's capabilities.

Seasoned players know the winning game's strategy requires a "time out" to understand your program as well as your existing AML solution(s). This play involves working directly with your AML team to identify, document and make recommendations on the functionality already available or needed to enhance your program through technology, which is of paramount importance.

A complete assessment of your AML program should include the following steps:

• • Review existing policies and procedures and high level business practices and tools

• • Review BSA/AML operations

• • Conduct a transaction sampling

• • Interview key personnel

Having the right players participate in the assessment will yield positive results in gaining yards in identifying efficiencies and increased utilization of your current solution. Information gathered during this phase of the assessment will also provide the field kick you may need to build a business case for enhancing your existing AML suite or replacing it entirely, which is a nice score at the end of the first quarter.

Second quarter: the controls

In the second quarter of the game, as a part of the assessment, take another "time out" to map your AML program to the existing system to identify the controls already in place and those that are still needed to ensure an effective AML program.  What's missing?

If you learned during the first half of the assessment that you are resorting to manual processes to supplement your system, bring those processes back into the system. A monitoring system is only as good as the rules or controls that are housed in its engine.

Having an understanding of the risks associated to your institution means taking into consideration such factors as volume, products, customer base, and markets. Reviewing your AML risk assessment should ensure you have the complete view of the institution's risks.

Seasoned players (experts) from both the institution and the system provider must participate during the second quarter of the "game" to identify the necessary controls that may be lacking but are needed. A play is in the making as the risks associated to the institution are evaluated not only the adequacy of the current rules and controls, but also for what functionality is still needed to support and mitigate that  risk.

This final stage of the assessment should also drive out the cost for these enhancements or additions of other components of a vendor's AML suite that may be needed to complete the gap in the AML program. The information gathered during this quarter of the game, along with the score gained during the first quarter of the assessment, will help give your business case the extra points needed.

Half-Time: time to regroup

So you're headed toward the third quarter and running out of time as either the ability to update or enhance the system is out of bounds due to price or the solution just doesn't meet your needs. Good news--all that hard work in the first two quarters has just become part of your playbook (RFP questions) for looking for a new solution.

You will now know the necessary system capabilities when looking for a new solution, which makes your requirements gathering more effective. Now as the quarterback, it's time for you to use that business case to "block," giving you a much easier defense when upper management is "holding" back from achieving your touchdown and obtaining the new solution you need to win.

Third quarter: technology implementation

Through the use of your playbook and vendor due diligence, you've identified a solution that will work for you. Now what?

Clearly, you as the quarterback and your team must be active players in the last two quarters to truly get the winning touchdown. It is not enough to sit it out and throw in a yellow flag to catch up on where the project is and call foul.

A technology initiative is almost certain to fail if it is handled exclusively by the IT Department. Although well-intentioned, and certain to find a solution that meets stringent security and functionality requirements, IT project managers are not intimately familiar with AML requirements. Frankly, they will not be the ones ultimately held responsible for how effectively the solution monitors for possible AML instances.

In addition to having your internal experts participate, you should want your vendor's seasoned players to participate as well, in addition to their IT implementation team. (This may incur additional consulting costs. But it will provide the expertise needed to maximize your investment, which will in the end save you money.)

When it comes to requirements gathering for an effective AML solution it is all about expertise--and having expertise that comes from years of banking experience and exposure to best practices across the industry as it relates to technology initiatives. This kind of expertise will become apparent to your team (who are present because they have a vested interest in winning the game) during the review of initial solutions.

At this point, you should see how the system's functionality maps to regulatory requirements; provides effective monitoring; is flexible enough to account for variations in institution specific requirements and its ongoing changing needs due to new products, markets and possible future acquisitions.

Many technology vendors provide only a project manager, who, similar to the IT team, is likely very well-intentioned but lacks the intimate knowledge of AML requirements and industry best practices to ensure the solution will satisfy your program requirements.

A seasoned player from the vendor in the form of an AML expert can provide valuable insight into the current solution, and how it will best meet your internal or regulatory expectations. They can evaluate the effectiveness of your program, identify gaps, and recommend controls.

Most important, they can map controls, processes, and procedures to system functionality. A good vendor will give you the kickoff to your receiver, allowing you to catch the ball and run the field to a touchdown!

Fourth quarter: adoption and utilization

Knowing there is no good that comes from a solution that sits on the proverbial shelf, if seasoned players are not involved in ongoing system utilization, your institution probably won't realize a valuable return on its investment and, worse yet, may lose some of the safeguards a solution is intended to provide.

At this stage, utilizing your vendor's seasoned player for their knowledge of AML and internal requirements is instrumental.

A common mistake many financial institutions make during this phase is to request system customizations to achieve their goals.

While each customization may satisfy an immediate need, changing the solution to work with your existing process as opposed to determining how to work the process with the solution to get to the same end game will ultimately do you a disservice when the vendor releases new features and functionality that won't work with your customizations.

Keep in mind that a system that offers the ability to configure, rather than customize, is the best assurance to maintaining the continued benefits of future enhancements to the system.

Of course, the key here is to have both internal seasoned players and seasoned players from the vendor in the game that understand the system's capability and the program's needs. When there is expertise on both the solution side and the client side, the client can find the highest and best use of the solution's features and functionality to achieve their AML program goals.

Finally, the "instant replay"

So for an instant replay; remember to take time to reevaluate your current system before throwing in the towel. Tap into the vendor's team and your team of AML seasoned players to perform an assessment of both your program and the system.

If after completing the second quarter, you determine at half time that your current solution won't meet your existing needs, it's time to pull out the playbook from what you learned during those first two quarters. Use those lessons listed in your playbook to help you identify what system will best meet your needs and make sure you use those seasoned players to run the ball to help you not only implement, but maximize your investment.

This is the best play to earn that Super Bowl ring and score with your senior leaders and examiners!

[This article was posted on January 25, 2013, on the website of Banking Exchange, www.bankingexchange.com, and is copyright 2013 by the American Bankers Association.]