The challenges of BSA/AML compliance continue to evolve for financial institutions as they seek to meet heightened regulatory expectations in areas such as Customer Due Diligence (CDD) or in automating monitoring processes, all while effectively managing the associated cost of ongoing compliance. In the meantime, the Financial Action Task Force (FATF) notes continued diligence in AML technical compliance that has not yielded a corresponding increase in effectiveness.
The requirement for independent testing of BSA/AML often seems to be one of assumed compliance. Furthermore, it can sometimes appear to be considered that of necessity with no perception or expectation of value to be derived. Nonetheless, there are some key factors that all financial institutions should consider concerning the “audit pillar.”
While it is widely known that an “independent” party should conduct the BSA audit, it is often presumed that this means someone external to the financial institution. However, when auditing the system of internal controls, the auditor is only truly “independent” if that person or entity did not assist in the design of the related controls, or participate in control activities. For example, if the auditor prepares the BSA risk assessment, they would not then be independent relative to auditing the assessment. Similarly, if the auditor provided consulting services in the development of CDD procedures, they would then not be independent to audit the effectiveness of the associated internal control activities.
The person with designated responsibility for BSA compliance (the BSA Officer) is expected to and often invests countless professional and personal hours in developing their expertise in BSA/AML. This typically involves participating in BSA-specific continuing education programs and obtaining (and maintaining) BSA/AML credentials, such as the Certified Anti-Money Laundering Specialist (CAMS) designation. As such, financial institutions should expect and ensure their BSA auditor is similarly (and specifically) trained and credentialed. For example, the Certified Public Accountant (CPA) designation is an outstanding and well-respected credential, but it has no direct correlation with BSA/AML. Similarly, continuing professional education only enhances BSA/AML knowledge and skills if it directly related to that specific subject matter.
All financial institutions are expected to implement and maintain a system of internal controls that ensure ongoing BSA compliance. Hence, financial institutions should approach the BSA audit as a risk-based operational audit rather than a “compliance” audit. The auditor should document the BSA/AML processes, identify the relevant “key” internal controls, evaluate the design of those controls, and test said internal controls for operating effectiveness. Depending on the nature, size, and complexity of the financial institution, a compliance audit approach may allow them to “check the box.” However, an operational audit approach can serve to add value to the institution and ultimately assist in enhancing the effectiveness of the BSA/AML program.
The financial institution owns all the BSA/AML pillars, including the audit pillar. Regardless of who is tasked with carrying out the related audit procedures, ownership rests with the Board of Directors and management of the institution. As such, financial institutions should take a proactive role in understanding the independence, expertise, and audit approach of the person or firm conducting the audit. The BSA audit should not merely be “packaged” with other internal audits performed by an outsourced entity, or grouped with other unrelated compliance audits. BSA/AML is unique and is treated as such by the respective regulatory bodies. It is examined as a separate component of a safety and soundness exercise by someone with the requisite skill and knowledge to do so. Therefore, financial institutions should ensure the delegation of audit activities associated with BSA/AML are approached with a similar lens.
While some institutions consider the FFIEC view of four pillars and others might consider the FinCEN view of five, the audit pillar is consistent across all regulatory and rulemaking bodies. As the expectations, challenges, and cost of BSA/AML continue to rise, financial institutions of all sizes should embrace the audit pillar and seek to derive value from the annual exercise. Navigating the hurdles of regulatory and rulemaking bodies can be confusing, as can the addition of the audit pillar. When questions arise, your CRI Certified Anti-Money Laundering Specialist is at the ready to assist.