Ask the AFC Guru: Adam Vocalino-Szymanski—The A-Z on Internal Audits, Federal Examinations and More

Ask the AFC Guru: Adam Vocalino-Szymanski—The A-Z On Internal Audits, Federal Examinations and More

Anti-financial crime (AFC) guru Adam Vocalino-Szymanski, CAMS, has been in the AFC industry for nearly seven years. He began his career in AFC as an investigator tasked with reviewing various suspicious activity alerts and cases. Vocalino-Szymanski is now the deputy Bank Secrecy Act and deputy Office of Foreign Assets Control (BSA/OFAC) officer at First American Bank, a $5 billion privately held financial institution (FI) with locations in Wisconsin, Illinois and Florida. Vocalino-Szymanski has extensive experience in preparing for internal audits and federal examinations. He is also experienced in performing periodic risk assessments and creating reports for senior management or the board of directors.

Question 1: How can an FI be proactive in preparing for internal audits?

Adam Vocalino-Szymanski (AVS): For someone to be comfortable preparing for internal audits, their first step is to understand the typical scope of an AML/OFAC internal audit. Often, the internal audit will mirror federal examination processes to effectively evaluate the AML/OFAC programs. My recommendation is to start by referring to the Federal Financial Institutions Examination Council (FFIEC) BSA Examination manual and comparing the areas of coverage in the manual to your FI’s risk assessment and documented AML/OFAC policies and procedures. The FFIEC BSA Examination manual provides guidelines for how the AML/OFAC programs will be assessed as a whole, as well as how compliance with regulatory requirements related to specific areas of the program will be assessed. This will build a base understanding of what documentation you can expect to provide to internal auditors when the internal audit process starts.

In terms of being proactive, I recommend keeping a log of key program enhancements and decisions that are made between internal audits (and federal examinations), especially if the updates are made in response to a regulatory update, to highlight these enhancements and decisions for the next internal audit. It is important to show that the program is responding appropriately to regulatory changes and expectations. Keep an open line of communication with your internal auditors and make them aware of any major program updates or changes so that the scope of the next internal audit can be adjusted accordingly.

Question 2: What tips would you give FIs as they prepare for a federal examination?

AVS: In addition to the response above, the actual results of the internal audit should be considered when preparing for a federal examination. If the internal audit has identified any gaps or control issues, they should be adequately addressed and documented prior to the federal examination.

Question 3: What is the most crucial element of a risk assessment?

AVS: The most crucial element of a risk assessment is creating an assessment that is specific to the unique risk factors of your FI. A one-size-fits-all approach to a risk assessment (e.g., using a templated risk assessment) will not adequately capture the specific risks that your institution is subject to. The specific risk areas to consider are products and services offered, customer base, geography, transaction volumes, audit and exam results, and, most recently, incorporating the Financial Crimes Enforcement Network’s AML/counter-terrorist financing National Priorities into the evaluations. To achieve this crucial element, you must be knowledgeable of the institution’s exposure to the various risk categories, how those risks are mitigated by internal controls and the current regulatory landscape related to those categories. Creating a risk assessment that is catered to the specific FI is an important piece in demonstrating to regulators that the FI’s existing AML and OFAC programs appropriately address the risks to which it is subject.

An honorable mention for the most crucial risk assessment element is the documentation that is used to inform the risk assessment. Be sure that you retain any data, reports, calculations, working papers, etc., that inform the risk assessment and make those documents accessible to anyone analyzing or viewing the risk assessment, as necessary.

Question 4: What are your recommendations for preparing reports for senior management?

To prepare an effective report for senior management, I find the first and most crucial step is determining the purpose and intended outcome of each report that is created. Take into consideration what you want to convey to senior management about your AML or OFAC program and the intended result of providing the information. In addition, your specific audience will determine what information is pertinent to the report. A report created for the board of directors will likely look a lot different than a report prepared for a specific executive committee or internal audit, etc. In general, senior management reports should focus on high-level overviews of pertinent AML/OFAC topics and why those specific topics are being addressed.

Senior management reports will likely look much different than operational reports that are prepared for consumption by the AML/OFAC team internally as well. However, internal operational reports can and should be used to inform the senior management reports when applicable. Senior management does not need every set of data available to the AML/OFAC team, but rather a concise report that provides insight into the AML/OFAC program and is appropriate for the specific audience. Consider the decisions that the specific senior management audience is responsible for making and design the reports to inform their decisions effectively.

An interesting way to view senior management reports is incorporating them into the risk assessment process as ongoing “mini risk assessments.” If senior management reports are built to incorporate the categories that are covered by the risk assessment as appropriate, then the reports can be used to inform the larger overall risk assessment. Senior management reports are typically updated more frequently than the risk assessment, so incorporating aspects of the risk assessment can provide insights into the status and direction of the AML/OFAC well before the larger periodic risk assessment is completed.

Question 5: What are some mistakes that are often made when preparing reports for senior management?

AVS: Based on my recommendations above, I believe the biggest mistake that is made when preparing reports is providing senior management with reports that do not achieve the intended result. Building a report that portrays the information clearly and concisely is crucial, whether the intended result is to highlight emerging risks or convey that the AML/OFAC programs are running effectively. The report may contain too little information and not provide the required insight into the AML/OFAC program that senior management needs to inform future risk decisions. Conversely, the report may contain too much information, making the intended message difficult to decipher and rendering the report ineffective.

Adam Vocalino-Szymanski, CAMS, deputy Bank Secrecy Act and deputy Office of Foreign Assets Control (BSA/OFAC) officer, assistant vice president, First American Bank, Elk Grove Village, IL, USA,

One comment

Leave a Reply