Anti-money laundering (AML) regulations and the compliance process have become more complex over the years for financial institutions. Identifying suspicious or criminal activity is important to each institution’s operations. Institutions’ AML programs have continued to mature and, concurrently, the expectations of regulators have increased. As financial institutions develop more sophisticated methods to identify suspicious transactions, high-risk customers, and sanctions violations, new areas of interest have been raised in examinations.
The following checklist details 10 areas of focus in examinations of AML processes. Institutions can use this information to improve their compliance processes and examination preparation.
Compliance needs to be woven into every aspect of an institution’s operations. For that to happen, the C-level executives and board of directors need to support and promote an enterprise-wide compliance culture. Executives need to demonstrate the importance of compliance so that individuals at all levels recognize its value. Integrating AML compliance throughout the organization helps promote that everyone involved understands the entire process rather than just their role. Ongoing job-appropriate training and frequent communication are two ways to build and demonstrate a culture of compliance. It is also important to maintain adequate documentation of such training and communication to show examiners the organization’s progress in both areas.
Risk management models need high-quality data in order to generate usable results. Because model output is dependent on the information entered into the model, regulators want to see that data quality is enforced at the front lines and data validation protocols are in place. Some data must come from the posting system to complement the data that comes from origination sources. For example, the counterparties for transactions, such as wire transfers, must be identified, because institutions need to know where customer funds are sent and have systems in place for data validation.
Examiners expect organizations to show data in appropriate detail and to demonstrate data quality controls. If the data is not reliable, the entire compliance process might be viewed as compromised. Regulators look at the maturity of the data integration, including such factors as the mapping rules, testing, and underlying information architecture, to verify that the data provided matches expectations.
The AML risk assessment is the critical component of compliance. Organizations need to balance limited resources with the risk of malicious customer activity. A careful assessment process should drive the entire compliance program using quantitative inputs to identify risk areas and to refine the performance of the risk assessment model. Resources should be focused on highest-risk areas, and the determination of what constitutes the highest-risk areas should be documented.
Even though organizations are required to have an independent audit, self-assessment is a good second layer of defense. Self-assessment includes designating individuals with the responsibility of performing ongoing testing of critical controls within the AML program. The results of the assessment should be communicated to applicable personnel, and appropriate remedial action should be taken when deficiencies are identified. The self-assessment results may be leveraged by independent examiners, the third line of defense.
Because of the complexity of effective AML compliance, examiners are placing more emphasis on the qualifications of those conducting the independent audit. Auditors need to be well versed in the subject matter, auditing standards, and the unique characteristics of the institution type they are auditing. Examiners may ask to see documentation of the audit team’s qualifications, so institutions should have the information prepared and available.
Some institutions have elected to exit relationships with riskier clients – a process known as derisking. Regulators, meanwhile, want to make sure the public has access to banking services. Examiners emphasize that it is not appropriate to derisk based on customer type. Institutions that decide to engage in the practice should evaluate customers on a case-by-case basis and document the decision-making process.
Organizations need to demonstrate that their sanctions screening models are effective for managing risk. Management should verify that proper oversight and policies exist to establish responsibility for screening customers or transactions against sanctions lists. This can be particularly complicated for organizations with international operations.
To facilitate effectiveness and sustainability, an AML model must be calibrated. Examiners expect a documented approach to test and fine-tune an AML model. An institution’s documented approach/methodology should include documentation standards to support any changes applied to an AML model as a result of calibration. Furthermore, examiners also expect the documented approach/methodology to include event-based triggers that will prompt an organization to further fine-tune an AML model.
Regulators often cite independent model validation as an aspect of AML compliance that is not performed properly. Management should ensure an independent party validates not only the model but also the data used in and generated by it. Additionally, to comply with model risk management standards, the scope of the validation needs to extend beyond data validation testing procedures. Independent AML model validations should include an analysis of the design of the AML models, an assessment as to whether AML systems and applications were properly implemented to execute the AML models as designed, and an evaluation of the established processes to ensure ongoing administration of the AML models.
In recent years, regulatory focus on customer due diligence has increased. Examiners expect that the information collected allows banks to accurately assess the risk that comes with each new client. Particular focus has been placed on identifying beneficial owners of legal entities. Institutions should see to it that the established customer due diligence program includes appropriate processes to identify beneficial owners at account opening.
Meeting the standards required in examinations of AML processes demands the ability to identify and apply a wide variety of technologies, industry best practices, and business process improvements. It also requires a deep understanding of AML and sanctions regulations and the interests of the agencies that enforce them. Compliance is important to reduce regulatory criticism while also improving the integrity of the financial system.
Compliance with AML regulations is important for financial institutions and the criminal justice system in the United States. Crowe Horwath LLP, one of the largest public accounting, consulting, and technology firms in the country, currently works with more than 1,100 financial services organizations and can assist clients in meeting regulatory expectations. Crowe offers a unique depth of knowledge in virtually all aspects of AML programs and can work with financial institutions of any size to help determine an appropriate AML strategy.