MSBs are feeling the higher scrutiny of their regulatory compliance program by their bank partners, state and federal regulators. Certain banks are terminating MSB relationships if the bank perceives the risk of such activities as intolerable.
How does an MSB successfully navigate this environment of unprecented scrutiny? MSBs should have a regulatory compliance management program that is well documented, and can show that the MSB’s compliance program enables the company to make compliance repeatable and sustainable on an ongoing basis. Compliance Officers need to feel comfortable that if their CEO phoned in the middle of the night and asked, “how do you know that we are compliant?” that they could provide the answer on the spot.
Most MSBs are aware of having a multitude of state licensing requirements plus BSA/AML requirements, and implement processes to meet these requirements. However, once the processes have been implemented, often times little is done to test and verify that the processes are operating as planned or that the processes are sufficient to meet the regulatory requirements. Waiting for the independent review to identify regulatory gaps is not a best practice. The ongoing, sustainable portion of the program is the implementation of internal controls, testing, and ownership of validations.
The internal controls program answers the question, “How do you know your Program is in compliance?” A documented internal controls program is a tool to show regulators, banking partners, potential investors and other key internal and external key stakeholders the MSB understands and manages its regulatory compliance risk to the highest standard. The creation and maintenance of an internal controls program promotes a “culture” of compliance across the enterprise and requires executive sponsorship, validators, control owners and compliance oversight of the entire program. The program must be aligned with the MSB’s risk assessment and AML policy as changes in the business and the regulatory landscape occur on regular basis. The internal controls program must be flexible enough to meet these changes. The program adds transparency in the scope of independent reviews, internal and external audits and regulatory exams.
The methodology for documenting the controls may be as simple or complex as the tools available to the MSB. Ideally, the program should identify and document all regulations related to money transmission, money services activities and create specific internal controls for each regulation. In turn, each internal control should be tested to ensure it is accurate, effective and works as intended in business practice. Some companies develop a SharePoint site to include all relevant documentation and an audit trail of the control, maintenance and management of the program. Others might choose a spreadsheet or database to track each law, associated control and testing.
As compliance professionals, have you ever been told, “I understand the need, but I don’t have the time, the money or the people to do what you are recommending!” So, how do you build an effective program with limited resources? It starts from the top of the organization with the realization the internal controls program will help protect the company and its Board of Directors from regulatory fines, enforcement actions, potential prosecution, loss of business and mitigate damage to the MSB’s reputation in the marketplace.
The following steps will help you structure a robust program to meet the needs of the organization.
MSB regulations should be documented in reasonable detail to highlight each regulatory requirement. For instance, the OFAC regulations implement provisions in several different laws. Iran has special sanctions provisions enacted through the Iran Sanctions Act of 1996 and codified in IEEPA, whereas the longstanding Cuban embargo falls under the Trading with the Enemy Act (TWEA). As TWEA and IEEPA have different implications to non-US subsidiaries of US Companies, each of these OFAC provisions should be documented separately.
Legislative tracking can be done by engaging a legislative tracking service, belonging to trade association(s) that track legislation, and monitoring particular statutes for updates. Legislative tracking is often done through by seeking out bills, and new rules or regulations that contain words that are key to your products or services such as “prepaid access”, “open loop”, “payroll cards,” “money transmission” “consumer protection,” “payment processing,” “virtual payments,” etc.
Using a risk-based approach, a licensee’s regulatory requirements must be validated on a recurring basis. The Validator role is to determine the applicability of each requirement in the Program and incorporate newly enacted regulatory requirements and best practices. The Validator may be the licensee’s legal counsel, a compliance advisor, an internal auditor not involved in functional testing or a qualified designee of the Compliance Officer. The Validator must have the skill set and experience reasonable to capture all relevant regulatory requirements of a licensee. The tracking tool (SharePoint, database or spreadsheet) should include the name of the validator and validation date of each requirement in the Program. For example, the Dodd-Frank Act (Title X) recently created the Consumer Financial Protection Agency (CFPB), and moved the oversight of certain consumer protection laws from other agencies to the CFPB. As MSBs are identified as “larger participants” under the CFPB, the requirements validator should assure that any new MSB requirements are identified and tracked.
The internal controls program procedure manual must include a process of accountability for implementing and testing new or enhanced internal controls. A newly established internal control should be tested shortly after implementation to affirm its efficacy prior to defining an ongoing cycle of review. The procedure should explain the chosen risk based approach to the ongoing validation of controls and detail the schedule and process of validation. Each validation cycle should be documented, as described earlier, and maintained with the program documents.
The Compliance Officer or designated staff must oversee or establish the internal control to ensure alignment with each regulatory requirement or internal policy. Controls are often created through collaboration of the various cross-functional teams who support the money transmission business. The tracking tool should document a detailed description of the internal control for each regulatory requirement or policy and a date the control was created and implemented. An internal control is the mitigating action that must take place in order to prevent the risk of a potential violation. For instance, it is understood that a key control to mitigate risk of an OFAC violation is to screen against the OFAC list. While screening may be the key control, other controls must happen also, such as the data to be screened must be collected, placed in the designated fields, timely pulled into the filter, and the filter must be timely updated. As such, compliance processes should be flowed out, and for each potential point of failure, a control should be identified.
Each internal control should have an assigned Control Owner documented in the tracking tool. The Control Owner is responsible to implement and test the internal controls related to their functional process(s). The qualified person(s) requires sufficient knowledge to understand how an internal control works in practice and gauge its efficacy. A challenge for control owners is to establish an appropriate test of the internal control. A procedure document supporting an internal policy or regulatory requirement is not sufficient. In everyday practice, procedures are not always followed; therefore the Control Owner is responsible to implement a test of each control to ensure the control works as intended in business practice. Testing methods include transactional, periodic and forensic testing. Transactional tests are conducted around particular activities; periodic testing is performed at certain times to verify compliance with legal requirements and internal procedures, such as a quarterly review of activity reports; and forensic testing is used to analyze information trends over time, including identifying unusual patterns in data.
The benefit of this testing is self-discovery and resolution of potential gaps in controls. Regulators look favorably on companies who have a defined process to review and correct potential gaps in the program.
The Compliance Officer’s role is to oversee the internal controls program, ensure it is documented, thorough, maintains accountability and sufficiently mitigates regulatory risk to the business. The oversight function acts as liaison to Control Owners in testing the integrity of internal controls. In cases where the Compliance Officer is also the Control Owner, an independent tester must be assigned to evaluate the integrity and effectiveness of a control.
Changes in the company operations, regulations, lines of business and geographies all play a role in effective internal controls management. An effective program will align these important component parts, provide transparency and promote confidence from regulators, business partners and internal stakeholders.
This article was written by Jeanne Schurott.