United States

Is your internal audit of BSA/AML doing all it should?

The IA should provide a comprehensive review of your BSA/AML program


For your financial institution, the internal audit is your third line of defense and should provide an objective review of your Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) programs, including policies, procedures, systems, processes and internal controls. How can you be sure your internal audit function is appropriately testing your BSA/AML activities?

Focus on five key themes when evaluating how the internal audit is addressing your BSA/AML concerns:

  • Does your internal audit program have foundational components that are consistent with key elements of the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual to build upon?  For instance, the BSA/AML independent review should be risk-based and cover the core examination areas outlined in the manual. 

  • Does the internal audit adequately review AML risk during the internal audit planning process?  The level and intensity of testing for each of the core BSA/AML areas should be risk driven, and for larger and more complex financial institutions, the internal audit may conduct its own BSA/AML risk assessment independent of the first and second lines of defense.   

  • Is the internal audit taking a holistic view of your overall BSA/AML environment or is it following a rote, check-the-box approach? Inexperienced internal audit staff too often focus on transactional testing instead of taking an overall look at processes and internal controls. The internal audit should start with design assessments of the core BSA/AML areas and processes before testing transactional results. The evaluation of transactions should include testing of controls as well.

  • Does your internal audit staff have the skills and experience to evaluate the numerous qualitative factors necessary for a successful BSA/AML program? And are they periodically trained?  For example, do they know what to look at to evaluate the adequacy of your processes and control activities based upon the risk profile of your institution and an understanding of leading industry practices? Do they effectively evaluate your culture of compliance? 

  • Is the internal audit keeping up with the constantly evolving regulatory expectations surrounding BSA/AML? If there haven’t been any significant changes in your audit plan and approach in recent years, odds are your internal audit approach is not keeping up with regulatory demands.

Five steps to an effective internal audit

Be sure the internal audit is focusing on the following key issues and includes these five steps when assessing your BSA/AML program and activities:

  • Do you have a strong culture of compliance? Assessing your culture of compliance sounds very subjective, but there are measureable aspects to consider. Are findings and deficiencies addressed appropriately and timely by management? Does BSA/AML staff receive regular training? Does your BSA/AML officer have access to your board, and are BSA/AML issues reported to the board when appropriate? Is BSA/AML compliance integrated into compensation and evaluation decisions?

  • Do you have experienced and sufficient BSA/AML management and staff? It can be difficult to attract and retain strong BSA/AML staff, especially at community banks. Therefore, consideration of the strength of your BSA/AML staff should be a vital part of your internal audit effort. Look for backlogs in suspicious activity monitoring and reporting. Review the quality of investigations, SARs and other issues. Take a close look at your BSA/AML training program—is it keeping up with the evolving BSA/AML landscape and tailored to your risk environment, or is it generic?

  • Is management’s BSA/AML risk assessment effectively tailored to your environment? Evaluating the risk assessment can be one of the most difficult parts of your internal audit because there is limited formal regulatory guidance and a heavy reliance on industry practices in this area. Regulators are increasingly focused on whether your risk assessment adequately addresses and quantifies your unique risk profile. Be sure that your risk assessment covers your products, services, customers and geographies, as well as how each contributes to your overall BSA/AML risk exposure. Don’t just look at the reasonableness of the ratings, dig into the details of the methodology—and make sure it’s documented. Do the statistics and data analysis support the results? And has the data been validated for completeness and accuracy, and is this validation documented?  For more complex financial institutions, risk assessments should be conducted at the subsidiary or business line level, and then consolidated across the enterprise.

  • Do you have the right BSA/AML systems, and are the models working appropriately and as intended? There are typically three models within the BSA/AML area, including suspicious activity monitoring, customer risk scoring and sanctions screening.  Review and evaluate the process and system owners, roles and responsibilities, change management procedures, user access controls, management’s initial and ongoing validation of both data integrity and model assumptions, and independent model validations. Additionally, internal audit should play an appropriate role in implementation and user acceptance testing within your organization.

  • Are your customer due diligence (CDD) and enhanced due diligence (EDD) practices appropriate to your risk profile? Understanding your customers and how they relate to your products and services is vital to an effective BSA/AML function. Your internal audit should take a close look at CDD and EDD practices as part of the approach. The following customers and business areas deserve special attention:

    • Nonresident aliens, foreign nationals and politically exposed persons

    • Foreign correspondent banks

    • Trade finance

    • Marijuana businesses

    • Payment processors

    • Money service businesses

    • Online and mobile banking operations

      CDD activities should include a risk-based collection of customer information, which may include beneficial ownership so that you “know your customer,” as well as ongoing monitoring of customer risk. EDD activities should provide for periodic reviews of higher-risk customers to update information, conduct screenings and review aggregate transactional activity for reasonableness. EDD procedures should be tailored for the aforementioned business types if they are part of your customer base.

Don’t forget the basic

Be sure the scope and documentation of the internal audit covering your BSA/AML function is appropriate. Your internal audit and its scope should:

  • Include assessments for both design adequacy and operational effectiveness of key processes consistent with the FFIEC BSA/AML Examination Manual

  • Include all applicable subsidiaries and lines of business

  • Confirm findings with management, and provide timely final reports

  • State conclusions clearly

  • Make clear recommendations that address the root cause of any issues within the final reports

  • Retain workpapers, planning documents, process narratives and testing scripts

  • Explain out-of-scope areas, if any

  • Incorporate new regulatory guidance within the internal audit program on a timely basis

  • Define terminology and standards

  • Adjust internal audit procedures to changes in the risk profile, including attributes tested and testing methods (e.g., reperformance testing for higher-risk control activities)

  • Use appropriate sampling methodologies and sample sizes based on risk (larger sample sizes for higher-risk controls)

  • Track findings, and follow up on any prior audit or examination findings

Internal audit is your final, third line of defense. Especially when it comes to BSA/AML concerns, it is also an area facing increased scrutiny from regulators. It’s vital to ensure that your BSA/AML internal audit is tailored to your unique risks.