No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Preparing for Your MSB Independent Review

by Karen Schirmer
February 10, 2016
in Compliance
Preparing for Your MSB Independent Review

Money Services Businesses (MSBs) know that one of the four pillars of the Bank Secrecy Act (BSA) is to have its BSA/AML compliance program (hereinafter the “program”) tested periodically by a qualified, independent party. The BSA/AML independent review (the “review”) provides valuable feedback to the MSB about the state of its AML compliance program, and it is also a document that is requested as part of regulatory examinations and bank-partner oversight.

The purpose of this article is to share insights from a reviewer’s perspective in order to help MSBs prepare for upcoming reviews.  Keep in mind that these insights do not reflect observations from any one client, but rather are general observations that are cumulative over time.

In the beginning…

The FFIEC has provided guidance that says a review is “an evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program including policies, procedures and processes.” It is the reviewer’s job to evaluate that the program is designed and implemented to meet the applicable BSA requirements and that the program is tailored to the MSB’s AML risk profile.  Reviewers take this mandate seriously and use the time before, during and after their on-site review to gather as much information as possible to make copious observations, identify findings and make best practices recommendations.

The initial request for documents provides a roadmap as to what will be reviewed and tested. In fact, much of the review takes place prior to the on-site component.  Therefore, the company’s AML Compliance Officer should take the time to fully review and understand the entire request list and ask clarifying questions as necessary.  Providing thorough responses and current documents that cover the review period gives the reviewer more confidence that the program is being actively managed. Also, identifying the request number for each document provided saves time and confusion.

Most reviewers test transaction data, which should be requested as early in the process as possible.  The MSB can then work with the reviewer to determine the scope of the sampling and the best way to produce the data in a secure manner that identifies the relevant fields and can be easily queried.

Reviews involving multiple products

A reviewer needs to have a clear understanding of the products and services offered under the program.  Many companies have multiple product offerings wherein some of these offerings are regulated under the BSA while others are not.  Further, some MSBs choose to cover their regulated and nonregulated products under one program, while others only cover the regulated products.  Be prepared to educate the reviewer through product descriptions, business plans, funds and data flows, legal memorandums, regulatory guidance and other materials that explain how the products operate and the connection or exemption of the products to the BSA.

Program best practices

True, the program is often in the form of a manual that is maintained by the AML Compliance Officer and his/her team.  However, the program belongs to all employees and sets the tone for a strong culture of compliance.  FinCEN’s 2014-A007 advisory provided valuable feedback in this regard, stating that, while AML sanctions are specific to individual institutional practices or lack thereof, the common thread among sanctioned companies (large and small) has been that they lacked a strong culture of compliance as promoted from the top down. It’s recommended that the program be shared with all employees.  One important way this can be accomplished is by providing each employee with a copy of the program as part of the training process and/or making the program accessible on an intranet site and communicating that accessibility.

Strengthen your program

Practical steps for your written program:

  • Include a description of all applicable BSA requirements in the program. This demonstrates to the regulators the company’s knowledge of its requirements. Further, if the requirements are not stated, there is a greater chance that there may be gaps in the corresponding procedures and controls.
  • Include roles and responsibilities, including for the Board of Directors, senior management, compliance officer and employees, in the program manual. Doing so establishes stronger accountability and engagement at all levels.
  • The program may describe multiple levels of procedures and training; however, the detailed standard operating procedures (SOPs) are best maintained separate from the program to allow for changes without the need for Board approval. SOPs are best when they contain sufficient detail to know who does what, when, with what frequency and how. Procedural documents should be dated and trained to appropriate personnel. Reviewers test to make sure that procedures are being followed so that what is actually in practice mirrors what is documented.  It is sometimes the case that when procedures are included in the program and not separately available to employees, the implementing operations team is not aware of the procedures in the program.
  • For MSBs with non-U.S. parent companies, it is best that the U.S. entity has its own program rather than be included in the parent’s program. Bank partners and regulators consider it a best practice.

Compliance Officer:

All MSBs must have a designated AML Compliance Officer (CO), and regulatory guidance tells us that the CO should be appointed by the MSB’s Board of Directors.  The appointment can be made by consent of the Board or included in the minutes of a Board meeting. Your CO must have sufficient AML experience and receive ongoing AML training.  Also, some states have experience requirements for the AML Compliance Officer position.

Check your structure to make sure your CO has:

  • Sufficient independence from business decisions
  • Access to the Board
  • Sufficient systems, authority and resources to implement an effective program.

Policies and procedures:

Procedures are in writing and a best practice is to have three levels of procedures:

  • High-level procedures in the program
  • Detailed SOPs for operational teams such as procedures for investigations, as well as standard and enhanced due diligence procedures
  • Desktop procedures that are job-specific and may contain forms or screenshots of system pages with detailed instructions.

Other useful tips include:

  • For each regulatory requirement, there should be a procedure with accountability. For instance, while the Customer Identification Program (CIP) is a regulatory requirement, a member of the company’s underwriting team may perform the verification tasks. The underwriting team should be designated as the control owners for the requirement.
  • Chartwell highly recommends a quality assurance procedure for each regulatory control. For instance, suspicious activity monitoring is a control. Provide procedures for timing of investigations and reporting, documenting investigative steps and making decisions. Sample and test decisions on a periodic basis depending on volume to ensure that procedural steps are being followed and properly documented.
  • Include exception procedures so that employees understand acceptable deviations from procedures and know the escalation process.
  • Each procedure should have a change history page, owner, approver, date approved, effective date if different from approved date and either training or communication date. Documenting this information provides reviewers and regulators the opportunity to see how procedures have changed to adequately sample and test the program.

Risk assessment best practices:

A company’s risk assessment must be tailored to the distinct products/services and unique industry of that company.  While that may sound obvious, sometimes the risk assessment is too generic, resulting in the company having insufficient risk mitigations in place.  The tips below provide ways to develop or enhance your AML risk assessment process:

  • The methodology for calculating risk should be clearly explained in your written risk assessment.
  • Your risk assessment should be reviewed and approved by the Board of Directors initially and on an ongoing basis.
  • Your risk assessment is a living document. Occasionally, a client does not want to acknowledge high-risk elements within its risk assessment for fear that bank partners or regulators will interpret high risk as a weakness. We suggest a different perspective in acknowledging high-risk elements within your program. When you work through the risk assessment process, you have the opportunity to identify risks, which provides the ability to implement appropriate resources and systems. When you document this process and discuss implemented mitigation factors, you actually demonstrate the strength of your program to bank partners and regulators. Testing and subsequent adjustments to residual risk levels further demonstrate the depth of your program as well as the comprehensiveness of your risk assessment.

Data testing (Suspicious activity monitoring, customer identification program, due diligence):

  • Be prepared to provide data for data testing, which may be applicable to any procedure, requirement or control. Raw data is requested for various purposes: to test various limits, to see if suspicious activity rules hit, to look for patterns, to test recordkeeping requirements, to test data integrity, to test due diligence procedures, etc.
  • Know your CIP requirements – your vendor may not know the requirements for your products. CIP dictates what to collect for customer identification. The proof of CIP and its verification has recordkeeping requirements, as well.
  • Do you have a gap between what you say you are going to collect/verify for due diligence and what is actually collected? Remember, credit risk and knowing your customers are different. If a particular verification step is optional, say so in the procedure.
  • Suspicious activity rules should be analyzed for effectiveness. Some companies get too many hits and have a long backlog for reviews.  Others rarely get a hit and therefore the parameters may need to be refined.
  • Investigation steps and standard documentation language should be established and sampled to make sure the procedures are followed and documentation is consistent.

Third-party oversight:

Oversight programs for third parties that are instrumental in the sales, operations or controls for your business are essential.  Third parties may include agents, independent sales organizations, foreign correspondent financial institutions, contractors, vendors and more.  The initial due diligence must be done consistently, whether the third party is large and well-known or a small operation.  If the third party has a role in meeting your regulatory obligations, make sure that a thorough and consistent review is done based on risk and at least annually.

Suspicious activity reports (SARs):

As we all are aware, an ongoing improvement regarding SAR elements is the narrative section.  Here is a useful tip: develop a SAR narrative template that provides a flow for how to organize the critical facts, circumstances, parties and dates.  Succinct chronologies are necessary; so highlight what happened, when, roles of the key parties, identification numbers and dollar amounts and why the activity is deemed to be suspicious.  Without this structure, there is a tendency to leave out important details, convey speculation instead of facts and use internal acronyms or phrases that are more than likely unfamiliar to the party reviewing the filed SAR.

Program reviewers and state and federal examiners test the 30-day filing deadline.  It is a best practice to include data in the investigative notes and in the SAR that explains when the activity became suspicious.

The requirement states that a SAR must be filed with FinCEN no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing a SAR.  The time period for filing a SAR starts when an MSB, during its review, or based on other available information, has firm reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.

The phrase “initial detection” should not be interpreted to mean the moment a transaction is highlighted for review or the date on which the transaction occurs.  There are a variety of legitimate transactions that could raise suspicion simply because they are inconsistent with a customer’s historically “normal” activity.  Therefore, each MSB should set and communicate its decision-making standards and the initial detection date should be included in its SAR and backup documentation.

Training:

Most MSBs provide their employees good, basic AML training on at least an annual basis.  Below is a list of suggestions for improving your AML training content and recordkeeping:

  • Include all relevant BSA requirements in the training.
  • Tailor the examples to your MSB’s product offerings. If your company purchases an off-the-shelf AML training module, make sure you can tailor the content. Too many trainings use examples of suspicious activity for products, such as money transmission or sale of money orders, when those products are not offered.
  • Include in the training all relevant instructions (e.g. where to locate the program, SOPs, compliance forms, what to do if something suspicious is detected, relevant time frames, how to contact the AML Compliance Officer, etc.).
  • Incorporating a test of the training content is a best practice. Use quality assurance testing to validate that the questions cover the important points for the audience and that the questions and answers (if multiple choice) are clearly written.
  • Review your training audience each year. Some companies train all employees.  Others select departments and leave out key personnel such as senior managers and Board members. Anyone who “touches” a regulated product in the course of performing their duties should be included in the AML training audience. This may include finance, operations, IT and other shared services.
  • Training records must be maintained for five years. Training records include the course content, attendance records, hire date and test scores, if applicable.  If your company’s policy says that new hires are trained within a certain timeframe from date of hire, an internal control should be set up to ensure that the training occurs in a timely manner.  Training records should be maintained in a location for all program records and not in an individual’s files.
  • Human resources and senior management must support the completion of AML training as a performance matter.

OFAC:

OFAC laws, rules and regulations are separate and distinct from the BSA.  While a BSA program must include OFAC compliance, it may be appropriate to have a separate OFAC program and OFAC risk assessment, since OFAC applies to all dealings of U.S. persons and not just to those within the scope of the BSA.  OFAC reports must be filed in a timely manner and maintained for five years.  Companies frequently have good systems for initial screenings but fail to screen certain databases, such as employee lists, against updates.

As most MSBs use some type of interdiction software or proprietary screening method, it is very important to test OFAC controls regularly.  The following is a short list of tests you can perform:

  • Test the filter using names from the SDN and other lists, including AKAs, as well as common misspellings.
  • Test your data integrity. For instance, does your system pull in titles (i.e. Dr. or Mr.) that would cause you to miss a potential match?  Does your system limit characters such that names would be cut off?  Are abbreviations used inconsistently?
  • Test your blocking controls to make sure that once a transaction is blocked for OFAC reasons, it cannot be released without the proper authority (usually AML compliance or legal).
  • When the OFAC list is updated, test to make sure that the updates (adds and deletions) were made in the filter.

Other:

Know your BSA requirements and be prepared to show proof of compliance, which may include CTRs, FBARS, CMIRs and others not specifically addressed in this article.

In summary, each review is unique in its own way.  The goal should be to provide independent reviews that not only meet the BSA requirement, but that also provide valuable feedback for a better AML compliance program.


Previous Post

ADP: Midsized Business Owners Most Concerned About Government Regulation, Topping Concerns On Affordable Care Act, Health Care Costs

Next Post

Transparency International to Pursue Social Sanctions on 9 Grand Corruption Cases

Karen Schirmer

Karen Schirmer

Feb 10 - Karen Schirmer headshot (320x400)Karen Schirmer, Director of Compliance at Chartwell, has 12 years of experience directing compliance teams and drafting programs that identify requirements, risks, controls and methods of control validations. During her work as Compliance Director for Western Union, Inc. and Integrated Payments Systems Inc., she conducted independent reviews and coordinated regulatory examinations.  As part of the First Data leadership team, she drafted and directed the operations of the 2012-2013 Global Corporate Compliance Program.  For more information, please contact Karen at info@chartwellcompliance.com.

Related Posts

NAVEX Top 10 Risk and Compliance Trends 2023 ebook

Top 10 Trends in Risk & Compliance for 2023

by Corporate Compliance Insights
March 29, 2023

Industry experts predict the risk and compliance trends we're likely to see in 2023 eBook Top 10 Trends in Risk...

parliament

Coming Soon to the UK: Sweeping Corporate Criminal Liability Reforms?

by Peters and Peters
March 28, 2023

UK legislators have proposed major amendments to the Economic Crime and Corporate Transparency Bill currently passing through Parliament. If adopted,...

wind turbines

What Companies Around the Globe Need to Know About EU Sustainability Reporting

by John Peiserich
March 28, 2023

By the beginning of next year, large companies in the EU or that do a substantive amount of business in...

amsterdam

At a Gathering of Compliance Practitioners, No Shortage of Food for Thought

by Mary Shirley
March 28, 2023

Last week, about 300 ethics and compliance professionals descended upon Amsterdam’s Hotel Okura to participate in SCCE’s European Compliance &...

Next Post
Transparency International to Pursue Social Sanctions on 9 Grand Corruption Cases

Transparency International to Pursue Social Sanctions on 9 Grand Corruption Cases

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT