revisiting the four pillars supporting an effective bsa/aml compliance program

Revisiting the Four Pillars Supporting an Effective BSA/AML Compliance Program

Marilyn D. Barker October 6, 2014

ACI Prepaid Card Compliance Conference Chicago

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=2xu1YkKWjnGjnM&tbnid=uo2K-Rjo1cv8VM:&ved=0CAcQjRw&url=http://lornali.com/4-pillars-of-success/&ei=a84oVLKvLYmAsQTRgYHICw&psig=AFQjCNEetR13ch9KEmARx5LTiqalBWXxyA&ust=1412046736150189

Components of an Effective BSA/AML Program: Revisiting the Four Pillars

The Four BSA/AML Compliance Pillars

• Qualified BSA/AML Compliance Officer

• Effective Internal Controls

• Education and Training

• Independent Testing

2


BSA/AML Compliance Officer

• Board and senior management are responsible for ensuring that the compliance officer has sufficient authority and resources (monetary, staffing, IT and time) to administer an effective BSA/AML compliance program based on the company’s risk profile.

3



• Compliance Officer’s professional qualifications are subject to scrutiny

• Tested for how familiar the officer is with the overall program

• Tested for knowledge of products, services, customers and geographic locations relative to potential BSA/AML risks

• Tested for engagement in the function relative to other responsibilities

4



• Tested for how risk (high, medium or low) is determined in terms of articulation in risk assessment and overall program familiarity

• Should demonstrate how risk categories have been determined

• Should be prepared to articulate (in addition to any previously prepared documentation) any exceptions

5



• Should marshal all information sources to collect data necessary to calibrate and recalibration risks

• Should include data derived from fraud prevention, complaints and other corporate sources --- avoid information silos that prevent data integration

6


Internal Controls • Include the company’s policies, procedures and processes designed to limit and control risks and to achieve overall BSA/AML compliance

• Level of sophistication commensurate with the size, structure, risks and complexity of the company

7


Internal Controls • Should implement risk-based customer due diligence policies, procedures and process

• Should identify operations more vulnerable to abuse by money launderers, terrorist s or financial criminals

• Should provide for program continuity despite management, personnel or structural changes

8


Internal Controls • Should provide for dual controls and segregation of duties

• Should provide sufficient controls for timely detection and reporting of required BSA forms

9


Internal Controls • Should demonstrate specific controls, data management strategy and other risk management tools that your organization deploys tied back to articulated risks as contained in formal risk assessments of customers; products and services; and geographies

10


Internal Controls • Should demonstrate how risk controls (especially high risk) are distinguished and implemented within control framework and risk management strategy to ensure ongoing compliance, including the detection , monitoring and reporting of suspicious activity

11


Internal Controls • Should be reevaluated when unique products, services, markets/ geographies or customers are on-boarded.

• Should be reevaluated when new regulatory rules or guidance is issued or enforcement actions are published

12


Internal Controls • Should ensure customer base is properly segmented (high/medium/low) with data from customer due diligence protocols

• Should ensure integrity of data (customer/account transaction data) and monitoring scenarios and then validate the effectiveness of these systems of an ongoing basis

13


Internal Controls • To test surveillance systems for effectiveness of generated alerts, suspicious patterns or thresholds or other scenario logic to determine calibration integrity

• Periodically perform quantitative and qualitative analyses to ensure overall surveillance system effectiveness

14


Education and Training

• Determine how broad and comprehensive BSA/AML education and training needs to be

• Should cover company’s internal BSA/AML policies, procedures and processes at a minimum

• Consider the frequency of education and training which should be ongoing

15


Education and Training • Should include Board and senior management so that (i) they can understand and appreciate importance of regulatory requirements; (ii) the ramifications for noncompliance; (iii) and the risks posed to the company to complete oversight responsibilities; (iv) approve aspects of programs; and (v) provide sufficient resources

16



• Consider appropriate personnel to receive training

• Consider specialized training in addition to any web-based resources

• Should be substantive and involve some tailoring to individual operational units and business lines, especially in high risk areas

17



• Consider using outside training resources by recognized sources, such as ACI or ACAMS (particularly for BSA/AML or operations staff)

• Document and maintain records of education and training and testing materials, as well as testing designed to determine comprehension

18



• Should include standards for passing and retesting

• Provide contemporaneous training updates based on new rules or regulations, regulatory guidance, administrative rulings and enforcement cases.

19



• Education or training can be in person (either one on one, small group or entire business unit) or through a business communique to specifically affected operational units, business lines or reliance partners

20


Independent Testing of BSA/AML Compliance

Program

• Should be thorough and independent (can be performed internally by audit department but should report directly to Board or senior management)

• Independence means that they should not perform any essential compliance functions unless there is appropriate corporate segregation

21


Independent Testing of BSA/AML

Compliance Program

• Auditors should have the appropriate bandwidth with demonstrated experience in prepaid, money services business and payments (banking alone is not sufficient because of the uniqueness of prepaid operations)

22


Independent Testing of BSA/AML

Compliance Program

• Should be performed generally every 12 to 18 months based on company’s risk profile

• Should include onsite visitation with operations and high risk business lines

23



Program

• Should evaluate overall integrity and effectiveness of BSA/AML compliance program

• Should include an assessment of process of identifying/reporting suspicious activity, including a review of SARs for accuracy, timeliness, and completeness for consistency with BSA/AML compliance program

24



Program

• Should include thorough risk-based transaction testing, particularly of management information systems, to determine effectiveness of BSA/AML reporting and recordkeeping

• Should evaluate effectiveness of suspicious activity monitoring systems

25

QUESTIONS??

Law Office of Marilyn D. Barker 1425 K Street, NW

Washington, DC 301.300.8578

26

revisiting the four pillars supporting an effective bsa/aml compliance program

Economy & Finance