Independent Testing: The Fourth Pillar of Compliance

The vast majority of money laundering efforts go undetected. In fact, it’s been estimated that on a global basis under one percent of illicit financial flows are seized and frozen[1]. US Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) requirements are designed to improve what can only be viewed as a dismal track record of halting illicit activity. For banks and credit unions, their part in identifying and stopping these activities is well outlined in the five pillars of BSA/AML compliance.

A strong compliance program is built on: developing internal policies, procedures, and controls; designating a BSA/AML officer; employee training; independent testing of the program; and due diligence. Having covered the first three pillars in earlier blog posts (Pillar 1, Pillar 2, Pillar 3) we’re now drilling down on best practices for independent testing, also known as an internal audit.

Auditing Your Audit Process

Despite what it sounds like, this is not inception. Checking to ensure your internal audit includes the following characteristics can contribute to a robust program. Here are a few aspects of a robust internal audit:

Independence and qualifications. “The purpose of independent testing (audit),” according to the Federal Financial Institutions Examination Council (FFIEC), “is to assess the bank’s compliance with BSA regulatory requirements, relative to its risk profile, and assess the overall adequacy of the BSA/AML compliance program. Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.[1]”

[1] https://www.fincen.gov/sites/default/files/advisory/advissu7.pdf

Even the best compliance departments have blind spots, and qualifications for the internal auditor become important in order to identify those weaknesses. For banks with an internal audit department, maintaining independence and remaining well trained are the top priorities. For those without such a department, testing should be conducted by well qualified third parties, or others institution employees with sufficient independence and expertise.

When independent testing is performed internally, management is responsible for determining if the person in charge of testing is knowledgeable, independent, has the proper credentials and is free of known conflicts. It’s a good sign when a tester has earned professional credentials, such as those of the Association of Certified Anti-Money Laundering Specialists, or ACAMS.

When outsourcing anything the institution should consider third party risk management guidance[3]. Any auditor selected should demonstrate a keen understanding of the requirements laid out in FFIEC’s “Bank Secrecy Act/Anti-Money Laundering Examination Manual.” Evaluating the resumes and qualifications for external auditors is critical[4].

When independent testing is performed by an outside third party, it’s important to sign a formal engagement letter or contract, outlining the responsibilities and duties of the third party through service level agreements. Include in this contract a provision stating that the final audit report is the property of the financial institution being tested.

Frequency. The FFIEC manual recommends that financial institutions conduct independent testing every 12-to-18 months.

Generally speaking, testing should be conducted more frequently when a bank or credit union is working in what’s considered a high-risk sector. More frequent audits also make sense when a financial institution has just been part of an acquisition or if there are any indications of increasing or unexpected money-laundering activity.

Scope of testing. While independent testing is designed to evaluate the overall effectiveness of a BSA/AML compliance program, some specifics are worth considering. Testing should, for instance, explore whether a financial institution’s risk assessment makes sense given its overall risk profile (a risk profile is determined by the products and services an institution offers, its geography, and its customer base).

An audit should also look at how a financial institution is training employees, and what suspicious activity monitoring systems are in place. Finally, it’s important to assess how suspicious activities are identified, and how management resolves any violations or deficiencies.

Reporting. Findings from an independent testing review should be explained in a written report that details any gaps or deficiencies uncovered during the testing process. The report should determine whether audit issues identified are considered high, moderate, or low risk.

Ideally, an independent reviewer will provide recommendations for addressing any problems that have been identified. Well-done reports will later include an update documenting management’s response to any problems and deficiencies.

Finally, when an outside auditor is hired, it’s a best practice to keep on file all contracts, as well as a written record of the financial institution’s vendor selection process.

[1] https://www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf [2] https://www.fincen.gov/sites/default/files/advisory/advissu7.pdf [3] https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html [4] https://www.crowe.com/-/media/Crowe/LLP/folio-pdf/AML-Independent-Testing-Trends-RISK15949.pdf