In BSA/AML compliance, being right may not be enough
Regulators are looking at your process, not just your results
When it comes to anti-money laundering (AML) and Bank Secrecy Act (BSA) compliance, financial institutions are facing a far stricter environment than they did just a few years ago. Then, as long as your audit revealed no significant issues, the regulatory authorities were generally satisfied. Now, they are not just looking at your results, but the processes you use to achieve them. Even if your results are good, if your processes are weak, you will likely face regulatory criticism.
Regulators consider four key attributes to be the pillars of an effective AML/BSA compliance program:
- Compliance team
- Internal controls
- Independent audit
Previously, the quality of the independent audit was judged by its findings and often limited to the information contained in a final written report. If the findings conveyed in the report were favorable and generally self-contained, regulators rarely looked at the processes behind the results. Now, they no longer rely on the audit results and final reports alone. They are now delving into the people and processes that deliver them. Financial institutions are well advised to understand regulators' expectations for all four pillars, including the processes surrounding the independent audit function.
The right team, the right training
AML/BSA risks have grown more complex and the regulatory environment surrounding them has become increasingly demanding. So regulators now expect an AML/BSA compliance team with the right experience and credentials to be directing your compliance effort. Regulators are looking for compliance professionals with AML/BSA experience and with professional certifications, such as certified regulatory compliance manager (CRCM) or certified anti-money laundering specialist (CAMS). Beyond certifications, they are also evaluating relevant experience with similarly situated financial institutions. They also expect the size and experience of the team to be commensurate with the size and complexity of the institution's AML/BSA risks.
Many financial institutions outsource some of their AML/BSA compliance. Don't think that outsourcing resolves you of the obligation to have the right team with the right credentials. Make sure your vendors have the proper certifications and experience.
Of course, an effective compliance effort does not end with the core compliance team. Personnel throughout the institution play key roles in effective AML/BSA compliance. From the bankers building and managing relationships with customers to tellers to wire room personnel, everyone needs to be educated about their role in controlling AML/BSA risks.
Strong internal controls
The processes and tools you have in place to capture and report AML/BSA data must be sufficient for your institution's unique circumstances. Your internal controls should accurately reflect your risk profile. For example, are your controls tailored to:
- Your geographies. The risk profile for transactions to and from Canada is different from that for transactions to and from Pakistan. You have to tailor your approach to the markets in which you are active.
- Your products and customers. Some products, such as wire transfers, and some customers, such as money service businesses (MSBs), have higher-risk profiles. Your AML/BSA compliance efforts need to be tailored to reflect those risks.
A solid audit process
Regulators are now as interested in your audit process as they are in its results. Don't assume that, because you haven't had any regulatory issues in the past, the audit model you've been following for years is sufficient. Here are some keys to a solid AML/BSA audit.
- Set a realistic budget. You need to devote enough resources to do the job right. Regulatory expectations have risen and that has prompted the need to increase resources to the AML/BSA audit process.
- Tie your audit plan to your risk profile. Just as your internal controls should reflect your unique geographic, product and customer risks, so too must your AML/BSA audit plan.
- Don't skimp on documentation. Be sure your workpapers and other supporting documents back up your audit plan including mapping the AML/BSA risk profile to the audit program and maintaining sufficient evidence of testing and results. Additional support is warranted for any higher-risk observations
- Make sure your sample sizes are sufficient and representative. Obviously, higher-risk issues like MSBs or privately owned ATMs should be more closely examined than lower risk activities. Are you looking at enough accounts? The right accounts? Are you focused on the correct time periods for testing?
Transparency is key
It comes down to transparency. The easier it is for regulators to understand how you have defined, documented, controlled and audited your risks, the more comfortable they will be with your AML/BSA audit effort and results. So look at your AML/BSA audit program through a regulator's eyes and make sure that your audit plan and documentation of work performed will withstand the scrutiny it will surely receive.