As part of their examination regulators evaluate whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements.The following are steps in such a determination.
- Determine whether the BSA/AML independent testing (audit) is independent.
- Determine whether independent testing addresses the overall adequacy of the BSA/AML compliance program, including policies, procedures, and processes. The reviewer should reach a conclusion about the overall adequacy of the BSA/AML compliance program.
- Through a review of board minutes or other materials, determine whether persons conducting the independent testing reported directly to the board of directors or to a designated board committee comprised primarily, or completely, of outside directors. Determine whether independent testing results were provided to the board of directors and senior management.
- Review quality of independent testing and independent testing reports, scope, and supporting work papers to determine whether they are comprehensive, accurate, adequate, and timely, relative to the bank’s risk profile. Consider whether the independent testing includes, as applicable, an evaluation of:
- The BSA/AML risk assessment.
- The relevant changes in bank activities since the last independent test.
- The policies, procedures, and processes governing the BSA/AML compliance program and other BSA regulatory requirements, and personnel’s adherence to those policies, procedures, and processes.
- The bank’s adherence to BSA reporting and recordkeeping requirements.
- The bank’s information technology sources, systems, and processes used to support the BSA/AML compliance program and whether they are complete and accurate. These may include reports or automated programs used to: identify large currency transactions, aggregate daily currency transactions, record monetary instrument sales and funds transfer transactions, and provide analytical and trend reports.
- Training for the Board to enable it to carry out oversight responsibilities and for appropriate personnel and whether training is tailored to specific functions and positions and includes supporting documentation.
- Management’s actions to appropriately and timely address any violations and other deficiencies noted in previous independent testing and regulatory examinations, including progress in addressing outstanding supervisory enforcement actions, if applicable.
- Determine whether independent testing includes, as applicable, an evaluation of suspicious activity monitoring systems and the system’s ability to identify potentially suspicious activity. Consider whether the independent testing includes, as applicable, an evaluation of:
- The system’s methodology for monitoring transactions and accounts for potentially suspicious activity.
- The system’s ability to generate monitoring reports.
- Filtering criteria, as appropriate, to determine whether they are reasonable, tailored to the bank’s risk profile, and include higher-risk products, services, customers, and geographic locations.
- Policies, procedures, and processes for suspicious activity monitoring systems.
- Determine whether the independent testing includes a review and evaluation of the overall suspicious activity monitoring and reporting process. Consider whether the independent testing includes, as applicable, an evaluation of:
- The identification or alert process.
- The management of alerts, research, SAR decision making, SAR completion and filing, and monitoring of continuous activity.
- Policies, procedures, and processes for referring potentially suspicious activity from all operational areas and business lines (such as, trust services, private banking, foreign correspondent banking) to the personnel or department responsible for evaluating potentially suspicious activity.
- Two types of independent BSA data validation testing are a necessity – Data Integrity (typically performed in conjunction with the independent BSA audit) and Model Validity (depending on the regulator, likely performed on a three year cycle (assuming no change in system or parameters)).
Data integrity is simply tracking the data from transactions to be sure it is captured accurately by bank software.
Model Validation involves ensuring that system parameters are properly set for the bank to flag those transactions that rise to the level of requiring a review. When a bank relies on AML software to identify high-risk customers, the model needs to be evaluated to ensure all high-risk customers are identified.
One of the risks of not performing validation is that suspicious activity goes unreported. The second risk related to not performing a validation is related to undetected cash transactions (which can lead to lookback orders from regulators). The third most common risk, efficiency, impacts the BSA area as a whole. Efficiency is key to being compliant and if the AML system is not tuned correctly – to the bank’s unique transactional makeup – then the number of low quality alerts steer BSA resources away from other alerts, leaving those other tasks open to examiner criticism.
- Determine whether the independent testing performed was adequate, relative to the bank’s risk profile.