As a member of the financial institution industry, your organization has experienced the frequent scrutiny of your compliance program by state or federal regulatory examiners, Internal Auditors, and Independent Compliance Review Firms.
In light of recent changes in the regulatory landscape and the increase in compliance program oversight, here are some salient tips for your organization’s management team to consider as you prepare for upcoming examinations, audits, and independent reviews.
When you seek and select a “qualified” independent review firm, you should look for relevant certifications (e.g., Certified Anti-Money Laundering Specialist, Certified Regulatory Compliance Manager) to indicate that the third party possesses the necessary expertise to evaluate your bank’s or your company’s specific line of business. It is equally important to identify firms with individuals or teams with “many” years of experience. A common standard of measurement is that it is prudent to find a review firm with at least 20 combined years of experience in your industry sector.
Your regulators may request the engagement contract between your organization and the review firm. They will focus on the written independent review scope that has been outlined in your agreement – particularly what was not included in the scope – to see if the audit or review covered all of your organization’s activities. Additionally, regulators expect that the audit or review scope will be risk-focused.
Auditors and reviewers are asking for copies of the recent request letters from others (regulatory examiners, previous review firms, etc.) to see what items were requested and for what time frame and dates. This practice not only allows the auditor to validate the adequacy of prior review scopes, but also helps to reduce the chance for two firms reviewing the same data.
Another note on the independent review process – the sample sizes for testing do matter. Regulators and auditors may evaluate sample testing sizes from prior reviews. If your organization’s Transaction Monitoring System (“TMS”) has been recently independently validated, and there are no identified issues, sample sizes tested by reviewers may be smaller compared to the testing sample for a bank that has just switched from a completely manual monitoring process to full automation using a proprietary TMS. In either case, the reviewer should support the sample size and explain clearly what was tested. The review or audit report should state, for example: what was tested (e.g., Suspicious Activity Report narratives), how many were reviewed (e.g., 25 out of 100 filed), and what was the error rate percentage (e.g., 5%). Most of us in this industry agree that judgmental sampling is the most appropriate method.
It is also recommended that reviewers and auditors perform some type of “omission sampling.” This could mean that if, during a review of a bank with many branch locations, the reviewer notes that there is one branch that never refers suspicious activity for investigation, but all of the other branches do, time should be spent determining what causes the disparity in activity referrals.
Communication is key! At every step of the review process – not just at the end – your auditor or independent reviewer should be communicating to your management team any identified issues or potential violations as well as the risk or impact of those issues. Your management group should be provided with the regulatory repercussions of not correcting the issue.
Final reports should culminate in an action plan for management. Each issue should be rated (e.g., high, med, and low risk), and those should tie to corrective action time frames, for instance: high-risk issues should be addressed by management within 90 days, moderate risk issues within 180 days, and low risk issues might be addressed by the next review, for instance.
Reporting lines are also becoming a focus as regulators want to see that your Compliance Officer reports directly to – or has appropriate and frequent access to – individuals at the “top” of your organization. Also, it is a good practice to verify that the final reports from your Internal Audit Department (“IAD”) or external review firm are addressed directly to the Board of Directors rather than to the Compliance Officer.
Record retention requirements are one of the BSA’s main and recurring messages. Today, many organizations are adopting the accounting and finance record retention standard of 7 years for all compliance-related records, exceeding the BSA’s minimum requirement of 5 years, as a matter of extra precaution and to provide record retention consistency across all lines of your business.
Since the Federal Financial Institutions Examination Council (“FFIEC”) BSA/AML Examination Manual was last revised over three years ago, organizations should look to the future as examination, audit, and review scopes will consider current trends and issues. In other words, ask yourselves, “What new guidance is being proposed and what topics are “hot” right now?” Information Technology (“IT”) and system considerations, for example, are high-risk focal points that have experienced much change as banks and money services businesses (“MSBs”) seek to automate more and rely on systems that require independent validation. Another place to look for emerging trends is on a global level and at recent enforcement actions overseas. Your management team should be looking at the issues identified in other countries and any related enforcement actions to see where the U.S. regulators may focus next. When significant compliance-related issues make news headlines, regulators are likely already incorporating new questions into their examination protocols.
As you develop and update your compliance risk assessments, consider that auditors and reviewers will be looking for a clearly stated methodology to explain what your risk scores mean. Additionally, your risk assessment should conclude with action items based on the highest areas of identified risk, such as the “Top ten risk mitigation goals for our bank this year are…” These action items should be measurable and include end dates for implementation. Although it may be necessary to adjust these items and dates during the year, your management team should be able to show regulators and auditors your plan and the progress you have made.
Also, your independent reviewers may begin testing what you have identified as your organization’s “residual risk”. If your risk assessment states that a certain risk is mitigated by appropriate staffing levels and expertise, your auditors or reviewers may attempt to verify that there has been little turnover in key roles and that staff members are, in fact, well trained.
One of the most common complaints by regulators on written bank and MSB compliance policies and procedures is that they are often full of lofty “should” statements rather than worded the way things actually happen in the specific organization. What is the risk, you ask? Unclear policies allow leeway for employees to “get creative” when seeking ways to solve their daily desktop procedure issues (e.g., downloading “free” templates or software to help them do a task more quickly). One of the four BSA pillar requirements is for you to develop and maintain a solid internal control system, so policy documents and associated procedures should be very clearly written, in your organization’s own vernacular, and should accurately reflect actual practices in your organization. Regulators may request not only your current compliance policy, but they may also request previous policy versions to compare. Including a revision history table in the front of your policies is helpful but not enough. Regulators and auditors want to see the complete previous iterations. Regulators and auditors may be checking that you have not just borrowed a “red flag” list from free templates or from another organization’s policies. If a red flag has nothing to do with your business model, don’t include it!
Reviewers are now asking to see your unusual activity alerts that did not result in a Suspicious Activity Report and that may not even have led to a preliminary investigation. Their goal is to see which employees in your organization are making the decisions and how they document those decisions. Auditors or reviewers may focus on selecting any alerts generated on your higher risk customers or involved higher risk jurisdictions to see what action is taken. Regulators have criticized banks and MSBs, because the monitoring staff is perhaps:
Auditors and reviewers may ask what type of remedial training is required for analysts who fail to properly identify suspicious activity.
And, speaking of training… If your organization utilizes computer-based training modules, your reviewers may check the revision date of the materials. Anything over 18 months – two years old should be refreshed to address any changes in regulations and in your internal procedures. Auditors may ask who assigns the training to employees for your organization. If assignment of courses is left up to area supervisors, do they require completion of courses within reasonable time frames? And, if assigned according to department or title, does the person assigning courses in the computer make errors and, perhaps, miss assigning a key course to an entire group of employees? If your training program requires passing a test after completing training, verify that the scoring mechanism works properly so that employees are not erroneously credited passing scores.
While regulatory requirements and expectations impacting your organization are undoubtedly ever changing, understanding the evolving perspective of your regulatory examiners, auditors, and independent reviewers may improve the process for your organization during your next examination or review.
Liesel Bimmerle, CAMS, is a Senior Compliance Professional for Chartwell. She is a former state bank and money services business regulator for the State of Colorado with more than 12 years of experience in anti-money laundering, Bank Secrecy Act, and state as well as federal regulatory compliance.