Money Services Businesses (MSBs) know that one of the four pillars of the Bank Secrecy Act (BSA) is to have its BSA/AML compliance program (hereinafter the “program”) tested periodically by a qualified, independent party. The BSA/AML independent review (the “review”) provides valuable feedback to the MSB about the state of its AML compliance program, and it is also a document that is requested as part of regulatory examinations and bank-partner oversight.
The purpose of this article is to share insights from a reviewer’s perspective in order to help MSBs prepare for upcoming reviews. Keep in mind that these insights do not reflect observations from any one client, but rather are general observations that are cumulative over time.
In the beginning…
The FFIEC has provided guidance that says a review is “an evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program including policies, procedures and processes.” It is the reviewer’s job to evaluate that the program is designed and implemented to meet the applicable BSA requirements and that the program is tailored to the MSB’s AML risk profile. Reviewers take this mandate seriously and use the time before, during and after their on-site review to gather as much information as possible to make copious observations, identify findings and make best practices recommendations.
The initial request for documents provides a roadmap as to what will be reviewed and tested. In fact, much of the review takes place prior to the on-site component. Therefore, the company’s AML Compliance Officer should take the time to fully review and understand the entire request list and ask clarifying questions as necessary. Providing thorough responses and current documents that cover the review period gives the reviewer more confidence that the program is being actively managed. Also, identifying the request number for each document provided saves time and confusion.
Most reviewers test transaction data, which should be requested as early in the process as possible. The MSB can then work with the reviewer to determine the scope of the sampling and the best way to produce the data in a secure manner that identifies the relevant fields and can be easily queried.
Reviews involving multiple products
A reviewer needs to have a clear understanding of the products and services offered under the program. Many companies have multiple product offerings wherein some of these offerings are regulated under the BSA while others are not. Further, some MSBs choose to cover their regulated and nonregulated products under one program, while others only cover the regulated products. Be prepared to educate the reviewer through product descriptions, business plans, funds and data flows, legal memorandums, regulatory guidance and other materials that explain how the products operate and the connection or exemption of the products to the BSA.
Program best practices
True, the program is often in the form of a manual that is maintained by the AML Compliance Officer and his/her team. However, the program belongs to all employees and sets the tone for a strong culture of compliance. FinCEN’s 2014-A007 advisory provided valuable feedback in this regard, stating that, while AML sanctions are specific to individual institutional practices or lack thereof, the common thread among sanctioned companies (large and small) has been that they lacked a strong culture of compliance as promoted from the top down. It’s recommended that the program be shared with all employees. One important way this can be accomplished is by providing each employee with a copy of the program as part of the training process and/or making the program accessible on an intranet site and communicating that accessibility.
Strengthen your program
Practical steps for your written program:
- Include a description of all applicable BSA requirements in the program. This demonstrates to the regulators the company’s knowledge of its requirements. Further, if the requirements are not stated, there is a greater chance that there may be gaps in the corresponding procedures and controls.
- Include roles and responsibilities, including for the Board of Directors, senior management, compliance officer and employees, in the program manual. Doing so establishes stronger accountability and engagement at all levels.
- The program may describe multiple levels of procedures and training; however, the detailed standard operating procedures (SOPs) are best maintained separate from the program to allow for changes without the need for Board approval. SOPs are best when they contain sufficient detail to know who does what, when, with what frequency and how. Procedural documents should be dated and trained to appropriate personnel. Reviewers test to make sure that procedures are being followed so that what is actually in practice mirrors what is documented. It is sometimes the case that when procedures are included in the program and not separately available to employees, the implementing operations team is not aware of the procedures in the program.
- For MSBs with non-U.S. parent companies, it is best that the U.S. entity has its own program rather than be included in the parent’s program. Bank partners and regulators consider it a best practice.
All MSBs must have a designated AML Compliance Officer (CO), and regulatory guidance tells us that the CO should be appointed by the MSB’s Board of Directors. The appointment can be made by consent of the Board or included in the minutes of a Board meeting. Your CO must have sufficient AML experience and receive ongoing AML training. Also, some states have experience requirements for the AML Compliance Officer position.
Check your structure to make sure your CO has:
- Sufficient independence from business decisions
- Access to the Board
- Sufficient systems, authority and resources to implement an effective program.
Policies and procedures:
Procedures are in writing and a best practice is to have three levels of procedures:
- High-level procedures in the program
- Detailed SOPs for operational teams such as procedures for investigations, as well as standard and enhanced due diligence procedures
- Desktop procedures that are job-specific and may contain forms or screenshots of system pages with detailed instructions.
Other useful tips include:
- For each regulatory requirement, there should be a procedure with accountability. For instance, while the Customer Identification Program (CIP) is a regulatory requirement, a member of the company’s underwriting team may perform the verification tasks. The underwriting team should be designated as the control owners for the requirement.
- Chartwell highly recommends a quality assurance procedure for each regulatory control. For instance, suspicious activity monitoring is a control. Provide procedures for timing of investigations and reporting, documenting investigative steps and making decisions. Sample and test decisions on a periodic basis depending on volume to ensure that procedural steps are being followed and properly documented.
- Include exception procedures so that employees understand acceptable deviations from procedures and know the escalation process.
- Each procedure should have a change history page, owner, approver, date approved, effective date if different from approved date and either training or communication date. Documenting this information provides reviewers and regulators the opportunity to see how procedures have changed to adequately sample and test the program.
Risk assessment best practices:
A company’s risk assessment must be tailored to the distinct products/services and unique industry of that company. While that may sound obvious, sometimes the risk assessment is too generic, resulting in the company having insufficient risk mitigations in place. The tips below provide ways to develop or enhance your AML risk assessment process:
- The methodology for calculating risk should be clearly explained in your written risk assessment.
- Your risk assessment should be reviewed and approved by the Board of Directors initially and on an ongoing basis.
- Your risk assessment is a living document. Occasionally, a client does not want to acknowledge high-risk elements within its risk assessment for fear that bank partners or regulators will interpret high risk as a weakness. We suggest a different perspective in acknowledging high-risk elements within your program. When you work through the risk assessment process, you have the opportunity to identify risks, which provides the ability to implement appropriate resources and systems. When you document this process and discuss implemented mitigation factors, you actually demonstrate the strength of your program to bank partners and regulators. Testing and subsequent adjustments to residual risk levels further demonstrate the depth of your program as well as the comprehensiveness of your risk assessment.
Data testing (Suspicious activity monitoring, customer identification program, due diligence):
- Be prepared to provide data for data testing, which may be applicable to any procedure, requirement or control. Raw data is requested for various purposes: to test various limits, to see if suspicious activity rules hit, to look for patterns, to test recordkeeping requirements, to test data integrity, to test due diligence procedures, etc.
- Know your CIP requirements – your vendor may not know the requirements for your products. CIP dictates what to collect for customer identification. The proof of CIP and its verification has recordkeeping requirements, as well.
- Do you have a gap between what you say you are going to collect/verify for due diligence and what is actually collected? Remember, credit risk and knowing your customers are different. If a particular verification step is optional, say so in the procedure.
- Suspicious activity rules should be analyzed for effectiveness. Some companies get too many hits and have a long backlog for reviews. Others rarely get a hit and therefore the parameters may need to be refined.
- Investigation steps and standard documentation language should be established and sampled to make sure the procedures are followed and documentation is consistent.
Oversight programs for third parties that are instrumental in the sales, operations or controls for your business are essential. Third parties may include agents, independent sales organizations, foreign correspondent financial institutions, contractors, vendors and more. The initial due diligence must be done consistently, whether the third party is large and well-known or a small operation. If the third party has a role in meeting your regulatory obligations, make sure that a thorough and consistent review is done based on risk and at least annually.
Suspicious activity reports (SARs):
As we all are aware, an ongoing improvement regarding SAR elements is the narrative section. Here is a useful tip: develop a SAR narrative template that provides a flow for how to organize the critical facts, circumstances, parties and dates. Succinct chronologies are necessary; so highlight what happened, when, roles of the key parties, identification numbers and dollar amounts and why the activity is deemed to be suspicious. Without this structure, there is a tendency to leave out important details, convey speculation instead of facts and use internal acronyms or phrases that are more than likely unfamiliar to the party reviewing the filed SAR.
Program reviewers and state and federal examiners test the 30-day filing deadline. It is a best practice to include data in the investigative notes and in the SAR that explains when the activity became suspicious.
The requirement states that a SAR must be filed with FinCEN no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing a SAR. The time period for filing a SAR starts when an MSB, during its review, or based on other available information, has firm reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.
The phrase “initial detection” should not be interpreted to mean the moment a transaction is highlighted for review or the date on which the transaction occurs. There are a variety of legitimate transactions that could raise suspicion simply because they are inconsistent with a customer’s historically “normal” activity. Therefore, each MSB should set and communicate its decision-making standards and the initial detection date should be included in its SAR and backup documentation.
Most MSBs provide their employees good, basic AML training on at least an annual basis. Below is a list of suggestions for improving your AML training content and recordkeeping:
- Include all relevant BSA requirements in the training.
- Tailor the examples to your MSB’s product offerings. If your company purchases an off-the-shelf AML training module, make sure you can tailor the content. Too many trainings use examples of suspicious activity for products, such as money transmission or sale of money orders, when those products are not offered.
- Include in the training all relevant instructions (e.g. where to locate the program, SOPs, compliance forms, what to do if something suspicious is detected, relevant time frames, how to contact the AML Compliance Officer, etc.).
- Incorporating a test of the training content is a best practice. Use quality assurance testing to validate that the questions cover the important points for the audience and that the questions and answers (if multiple choice) are clearly written.
- Review your training audience each year. Some companies train all employees. Others select departments and leave out key personnel such as senior managers and Board members. Anyone who “touches” a regulated product in the course of performing their duties should be included in the AML training audience. This may include finance, operations, IT and other shared services.
- Training records must be maintained for five years. Training records include the course content, attendance records, hire date and test scores, if applicable. If your company’s policy says that new hires are trained within a certain timeframe from date of hire, an internal control should be set up to ensure that the training occurs in a timely manner. Training records should be maintained in a location for all program records and not in an individual’s files.
- Human resources and senior management must support the completion of AML training as a performance matter.
OFAC laws, rules and regulations are separate and distinct from the BSA. While a BSA program must include OFAC compliance, it may be appropriate to have a separate OFAC program and OFAC risk assessment, since OFAC applies to all dealings of U.S. persons and not just to those within the scope of the BSA. OFAC reports must be filed in a timely manner and maintained for five years. Companies frequently have good systems for initial screenings but fail to screen certain databases, such as employee lists, against updates.
As most MSBs use some type of interdiction software or proprietary screening method, it is very important to test OFAC controls regularly. The following is a short list of tests you can perform:
- Test the filter using names from the SDN and other lists, including AKAs, as well as common misspellings.
- Test your data integrity. For instance, does your system pull in titles (i.e. Dr. or Mr.) that would cause you to miss a potential match? Does your system limit characters such that names would be cut off? Are abbreviations used inconsistently?
- Test your blocking controls to make sure that once a transaction is blocked for OFAC reasons, it cannot be released without the proper authority (usually AML compliance or legal).
- When the OFAC list is updated, test to make sure that the updates (adds and deletions) were made in the filter.
Know your BSA requirements and be prepared to show proof of compliance, which may include CTRs, FBARS, CMIRs and others not specifically addressed in this article.
In summary, each review is unique in its own way. The goal should be to provide independent reviews that not only meet the BSA requirement, but that also provide valuable feedback for a better AML compliance program.