Within the banking industry, compliance testing involves assessing compliance-related processes and/or controls that can determine whether the bank’s compliance program is designed and operating appropriately.¹

The compliance testing function includes activities focused on financial crime compliance (FCC) testing. Often, FCC testing is performed by a dedicated testing team with the goal of ensuring that internal controls are reasonably designed and working as intended to manage financial crime risk. Like the internal audit (IA) function (the third line of defense), the FCC testing function (the second line of defense) may test business units and other compliance functions. It is important in enabling institutions to understand what works and what does not work, including the ability to measure the effectiveness of internal controls.

Unsurprisingly, compliance testing programs are now a focal point for regulators as evidenced by the fines and penalties aimed at banks that deviate from maintaining a strong framework of internal controls. As such, banks are recognizing the need to grow and/or enhance their compliance testing functions, while ensuring that these programs align to expected standards—both internal and external.

The following are six helpful considerations for FCC testing teams that are looking to enhance their program and stay ahead of the curve.

1. Set Up a Formal Coordination Effort With IA

Having a strong partnership with IA can lead to more effective testing and more comprehensive coverage of risks across an institution. This consists of sharing information on a regular basis, as well as having open lines of communication while maintaining independence. This type of transparency and collaboration is also important for preventing redundant testing and minimizing disruption to the first and second lines of defense in performing their day-to-day activities. The following are examples of how to coordinate with IA:

• Involve IA in the initial development of the annual testing plan, with attention to identifying overlap in timing
• Schedule ongoing monthly/quarterly touchpoints to discuss the status of the testing plans, including changes and relevant updates
• Include each other on the distribution lists of published reports, where relevant
• Establish strong practices for documenting meetings with IA and monitor corrective actions that arise from IA reviews
• Use the meeting documentation for future planning and scoping compliance testing reviews.

To maintain independence, compliance testing should focus their coordination on the timing of testing. This means that while it might be acceptable to move the timing of testing, it is not appropriate to eliminate testing due to IA coverage.

2. Establish Quality Control and Quality Assurance Protocols

In addition to managerial oversight over testers (e.g., having a testing manager that reviews the team's work), testing programs should have protocols to check for and promote consistency, quality and continuous learning for all aspects of the testing activities throughout the lifecycle of a testing review and thereafter. This function is best performed by individuals or teams that are independent from those performing or managing the testing activities. Having formalized and comprehensive quality control/quality assurance (QC/QA) processes at various stages helps elevate the quality of testing and educate the testing team.

The following are examples of strong QA/QC practices:

• There is a documented approach and methodology for performing QA/QC activities (e.g., frequency, roles and responsibilities, sampling, specific steps/evaluation criteria used).
• Reviews are aligned and consistent with the procedures and process performed by the testers.
• Reviews cover each member of the testing team, including managers.
• Reviews are performed by qualified individuals with relevant experience (e.g., individuals that have previously performed testing or served in managerial or oversight capacity and have a background in FCC).
• Execution of reviews, including findings, is evidenced (e.g., documented and retrievable).
• Results are recorded in a manner that identifies trends and lessons learned that can be reported to senior management.
• Feedback from reviews is communicated timely and in a manner that facilitates learning.

Note that for smaller testing teams or banks with tighter budgets, a quick short-term gain may be achieved from either reallocating existing staff to this function or engaging an experienced subcontractor or consultant as an interim solution until the function can be further developed.

3. Formalize the Process for Determining (and Maintaining) Staff Size

At times, determining the appropriate number of testing professionals is dictated by available budget. Although this is understandable, it may not be an effective strategy and it might be questioned by regulators. A stronger tactic is to work in the opposite direction. For instance, perform careful analysis of key activities and tasks for which the compliance testing team is responsible. This is often outlined in the program document or the group's policies and procedures and can then be used to inform the appropriate number of resources. Once this is established, it is important to ensure that the staff size remains aligned with what is needed. The following are examples of helpful actions:

• Developing a capacity analysis: The exercise of assessing and determining staffing needs to execute testing activities is important—even in smaller teams or with tight budgets. A few key questions to consider:
  • What are the required testing activities to be performed?
  • How much time does each activity take?
  • What is the team's current capacity (in terms of available time)?
  • Is the current number of resources enough to satisfy the required AML testing activities?

   

  An effective way to perform this exercise is to break down the activities into hours and estimate approximately how long each activity takes. This can be based on historical metrics and data (if available) or a one-time pilot walk-through of activities. Then, break down how many working hours each resource has available to dedicate to these activities. When determining capacity, consider factors such as holidays activities. It is helpful to document this assessment in a spreadsheet or a tool that can be easily monitored and adjusted.

• Implementing a contingency or succession plan: The ability to secure and maintain staff size is just as important as the act of getting the staff. This means having a contingency or succession plan that protects against critical positions or roles becoming unexpectedly vacant. The plan should detail how continuity will be maintained in these instances, such as designated individuals or roles that could fill in for certain positions where needed. Documenting this ahead of time will help ensure that activities continue as normal. This is particularly important for compliance testing functions as testing activities are time sensitive and run on set schedules and timelines.

4. Invest in Strengthening Existing Staff

An experienced and capable staff is critical to ensure that testing functions are executed properly. The mix of skills needed to perform FCC testing is diverse and not always complementary. For instance, the planning stage of a review may require project management and analytical skills to determine the scope and ensure that the review covers key risks, while meeting timelines. The fieldwork stage may require attention to detail and thoroughness to document-testing work in a manner that can be understood by a third party. Lastly, the reporting stage may require strong communication and interpersonal skills to coordinate with stakeholders in order to draft and issue the final report and develop sufficient corrective action plans.

The following are important considerations when investing in staff:

• Skills assessments: As highlighted by the Office of the Comptroller of the Currency in the comptroller's handbook, it is important to assess the qualifications and experience of testing staff to identify gaps between the skills needed to perform the required activities and the skills possessed by the testers. An assessment of skills or competency model can be used to inform training decisions and help match resources with compliance testing reviews. Information obtained from a capacity analysis (described above) is a good indicator of required testing activities, and therefore signals the skills needed to perform those activities. The initial recruiting and hiring specifications (such as those noted in the job posting or used in the interviewing process performed by the bank) can also suggest the required skills. Examples of relevant areas when assessing staff experience and knowledge include:
  • Audit/testing skills: research, writing, sampling, risk analysis, control assessment techniques, the various stages of a testing review
  • Technical skills: data analytics, system applications
  • Communication skills: ability to communicate well across all levels of an organization in different formats such as report writing, emails, phone, in-person
  • AML/sanctions knowledge: know your customer (KYC), sanctions, transaction monitoring (TM), rules, regulations and best practices
  • Credentials/certifications: Certified Anti-Money Laundering Specialist (CAMS), Certified Fraud Examiner (CFE), Certified Internal Auditor (CIA)
  • Years of experience: AML, auditing/testing

   

• Training: In today's regulatory environment, having a training program is the bare minimum. Training is expected to be tailored and linked to a plan and delivered in a methodical and targeted manner. Former Federal Reserve Board Governor Mark W. Olson sums it up well when he notes the following:

  “Training on policies, procedures, and associated controls is a component of compliance-risk management that should not be overlooked. Examiners will determine whether the banking organization's training program ensures that compliance policies, procedures and controls are well understood and appropriately communicated throughout the organization.

  While the depth and breadth of training that an employee receives depends on that employee's role and responsibilities, examiners generally assess whether staff at all levels understand the organization's compliance culture, general compliance-risk issues, and high-level compliance policies and procedures.”⁶

For compliance testing functions, examples of relevant training program considerations include:

• Linking the skills assessment: At a minimum, the training content should cover the topics and competencies noted in the skills assessment (described above) with consideration for identified gaps. This includes specialized training for each stage of a testing review (planning, fieldwork, reporting, corrective actions) and targeted training of AML-specific risks, trends and regulations with attention to higher-risk products, services, businesses and customer types.
• Linking QC/QA results and manager observations: QC/QA results and manager reviews provide valuable feedback as to where testers may be underperforming. If designed correctly, these functions highlight trends and “lessons learned.” Any material weaknesses or areas flagged as key problem areas should be addressed by training to strengthen staff performance.
• Linking roles and responsibilities within the team (e.g., manager, tester): To ensure training is effective and efficient, testers should receive targeted training that is specific to their roles, responsibilities and areas of concentration. For instance, managers should receive different training than what testers receive. Testers that are subject-matter experts in certain AML topics (such as KYC) should receive additional KYC training relative to a tester that performs TM reviews and vice versa.
• Delivery methods and channels: A strong training plan will consider a diverse mixture of methods and channels, including training delivered by other parts of the organization.
• Frequency: Training should be delivered on both an ongoing and ad-hoc basis as specified in the testing plan. The frequency of the training depends on what makes sense for the topic within the context of the bank and the regulatory environment. For instance, for broader and more general training topics on the plan that are unlikely to change within the course of a 12-month period, an annual training (at a minimum) may be appropriate. Ad-hoc training may be provided when there are changes to a bank's policies, procedures or processes.
• Tracking attendance and timeliness: Mechanisms should be set in place to track and evidence that members of the testing team are taking the trainings in a timely manner.

5. Consider Co-Sourcing /Augmentation to Temporarily Fill Gaps in Required Skills

Co-sourcing can be a great way to fill deficiencies in staffing and required competencies quickly and efficiently. Hiring temporary contractors or consultants brings in targeted skills and experience so that the team can more strategically manage testing responsibilities and ensure that staff is aligned appropriately. Based on research performed by PwC, when it comes to managing resource limitations, there are certain activities that are prime candidates for co-sourcing, such as noncore tasks (e.g., routine test execution) or areas that require advanced skills and expertise that cannot be satisfied by the current team.⁷ Benefits of co-sourcing include:

• Speed: Onboarding temporary staff is often quicker than identifying and hiring full-time employees. Temporary staff can also be changed more quickly than permanent hires.
• Specialized skills: Consultants (or teams of consultants) can be specifically selected based on targeted skills and knowledge. Oftentimes, larger consultancies will identify the candidates with the requisite skillset.
• Training and learning opportunities: Consulting firms, particularly top-tier consulting organizations, are often aware of the latest industry best practices and regulatory expectations based on their work with multiple financial institutions (FIs) and can offer a fresh view. This insight and perspective can be a valuable addition.
• Improved alignment of resources: The use of specialized resources for targeted tasks and activities can free up the existing core staff. This allows the existing team to focus on higher priority actions and activities that require in-house experience and strategical thinking.

While co-sourcing can offer value, it is also important not to overly rely on nonpermanent staff. Keep an eye on the proportion of permanent vs nonpermanent staff and the duration of time for which co­sourcing is used. If co-sourcing is abused, there can be negative outcomes. As a best practice, set reasonable limits on co-sourcing and have a plan that includes specific timelines and objectives for how external resources will be used.

6. Leverage Technology and Data Analytics

For the past several years, Protiviti (a global consulting firm that provides solutions in IA, risk and compliance) has been intently studying the audit and testing landscape to identify opportunities for enhancing testing. The firm found that testing functions need to innovate and embrace technology to keep pace with rapid changes and advancements in business. Technology should be employed in a manner where the testing function is equipped to identify emerging and changing risks quickly enough to cover them within testing activities. Examples of technology tools that can be leveraged include:

• Machine learning/artificial intelligence
• Process mining
• Robotic process automation
• Advanced analytics

Similarly, a PwC report noted the following,

“Organizations that have embraced technology and data analytics are able to more quickly identify the root cause of compliance shortfalls and promptly deploy resources to correct issues that present the greatest risk. Automating testing processes can help financial institutions enhance their overall risk assessment and testing processes, while also freeing up skilled personnel to focus on areas of higher complexity or risk.”

Because each organization's testing program may be in varying stages of sophistication, it may not be possible to take full advantage of the available technology. However, a strong start is to align the culture and tone from the top with an environment that welcomes technological advancement. This includes securing a dedicated data and technology resource within the testing function that can begin exploring potential capabilities and run pilot tests. This requires that the testing function work with their partners and stakeholders within the organization to obtain access to the bank's source systems and data.

From here, the testing team can identify reviews or “candidates” within each testing review that might be prime for automated testing (or testing that can be performed through the use of technology). Typically, testing steps that are standardized and repeatable are suitable for automated testing.

Conclusion

As FCC compliance testing continues to gain importance, banks can consider the following six areas to enhance and strengthen their testing program:

1. Set up a formal coordination effort with IA
2. Establish QC/QA protocols
3. Formalize the process for determining (and maintaining) staff size
4. Invest in strengthening existing staff
5. Consider co-sourcing / augmentation to temporarily fill gaps in required skills
6. Leverage technology and data analytics

While each compliance testing program may vary in nature, the application of the majority of these practices remains relevant across all banks and is helpful in positioning each bank to maintain a robust testing function.

Jonathan Estreich, CAMS-Audit, CFE, director, Société Générale, New York, NY, USA, editor@acams.org

The views expressed in this article are solely of the author and do not represent the views or opinion(s), directly or indirectly, of his employer or any person or organization associated with the author.

1. Véronique Besson, “How can your organisation perform effective and efficient compliance testing?” PwC, April 2018, https://www.pwc.ch/en/publications/2018/pwc_ch_white%20paper_can%20your%20organisation%20perform%20effective%20compliance%20testing.pdf
2. FCC testing as used herein refers to testing related to risks associated with money laundering, sanctions exposure and terrorist financing.
3. The term "financial crime" as used herein refers collectively to money laundering, sanctions exposure and terrorist financing.
4. "Internal and External Audits, Version 1.1, July 2019," Office of the Comptroller of the Currency, https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/internal-external-audits/pub-ch-audits.pdf
5. Ibid.
6. Mark W. Olson, “What Are Examiners Looking for When They Examine Banks for Compliance?” Board of Governors of the Federal Reserve System, June 12, 2006, https://www.federalreserve.gov/newsevents/speech/olson20060612a.htm
7. “Setting the pace: How financial institutions are staying ahead of changes in the compliance testing arena,” PwC, July 2018, https://www.pwc.com/us/en/industries/financial-services/library/pdf/pwc-fs-compliance-testing.pdf
8. “The Future Auditor Goes Digital,” Protiviti, https://www.protiviti.com/US-en/insights/bulletin-vol7-issue3
9. “Setting the pace: How financial institutions are staying ahead of changes in the compliance testing arena,” PwC, July 2018, https://www.pwc.com/us/en/industries/financial-services/library/pdf/pwc-fs-compliance-testing.pdf