Independent testing of anti-money laundering (AML) programs pursuant to regulatory requirements and validation of actions as a result of Matters Requiring Immediate Attention, Matters Requiring Attention or Matters Requiring Board Attention (collectively referred to as MRAs) are complementary and have some similarities. However, the methods by which the issues are identified are explicitly distinct. Independent testing activities are designed to have banks self-identify issues and concerns; therefore, these should be conducted on an ongoing basis. In contrast, the validation of actions taken in response to MRAs is focused on specific concerns identified by a bank’s regulator(s), and assessing whether the corrective actions taken are appropriately designed and implemented, and—depending on scope—sustainable. This article provides insight into similarities and differences for these activities, given the increased regulatory focus on both the independent testing function and MRA validation activities.

Independent Testing and MRA Regulatory Expectations

There has been significant industry discussion and focus on independent testing, but limited focus on the topic of validating actions taken in response to MRAs.

The method used to define and communicate MRAs is described in both the Federal Reserve Supervision and Regulation Letter (FRB) SR 13-13/CA 13-10¹ and the Office of the Comptroller of the Currency’s (OCC) Bulletin 2014-52.² Recently, regulators have increased their focus on the reported conclusions and associated work papers of both independent testing and MRAs’ control activities to assess the scope, adequacy of work performed (including independent testing), observations, recommendations and conclusions identified.

Similarities Between Independent Testing and MRA Validation

Both independent testing and MRA validations:

• Assess the design and operating effectiveness of particular controls and/or corrective actions
• Typically involve the assessment of policies, procedures and processes
• Can involve testing of sample selections

For both activities, procedures performed to support the conclusions drawn should be documented and maintained. Generally, results should be disclosed to the audit committee of the board, and are often communicated, as appropriate, to the general auditor and relevant executives.

Differences Between Independent Testing and MRAs Validation

The approach and results related to performing MRA validations differ from independent testing in the following ways:

• Focus—specific vs. overall:

  • MRA validation activities are conducted to assess whether a specific action taken by management addresses an identified issue raised by its regulator.
  • Independent testing is a regulatory requirement, as noted in Section 352³ of the USA PATRIOT Act, and one of the five pillars⁴ of an effective AML program. Independent testing is also performed to obtain an independent evaluation of the overall adequacy and effectiveness of the institution’s Bank Secrecy Act/anti-money laundering (BSA/AML) program. It is designed so institutions are able to identify and address (BSA/AML) activities and processes that may not be consistent with regulatory requirements, documented policies and procedures, and regulatory expectations.

• Scope and timing:

  • MRA validations focus on assessing newly implemented processes designed to monitor specific corrective actions taken by management to address a regulatory concern and typically have only been in place for a relatively short time frame. Based on the complexity and content of the MRAs, validations can be broken down into multiple milestones. MRA validation scoping strategies for assessing milestones can be completed all at once or as sub-milestone areas are completed by management. As a result, the timing of an MRA validation can be more flexible than independent testing. Generally, banks must complete validations within 90 days of the business implementing corrective actions in response to MRAs.
  • Independent testing evaluates a bank’s overall BSA/AML program, typically for a 12–18 month period. Independent testing assesses both existing and new processes developed during a defined covered period. There is no defined timeline for when independent testing must be completed after the end of the covered period; however, it should be reasonable.

• Sustainability:

  • For MRAs, regulators will generally want to see evidence that the newly implemented processes, procedures and controls have been in effect for multiple cycles of the related control activities to demonstrate they are operating as designed and demonstrating sustained performance prior to performing operating effectiveness testing. As such, corrective actions related to an MRA validation typically are not tested for operating effectiveness immediately upon implementation.
  • The concept of evaluating for sustainability is not called out specifically in the independent testing process; on the contrary, it is a regulatory expectation that an assessment of existing processes be performed—unless the policy, procedure or control is newly implemented during the covered period. In these instances, the testing party will typically document its understanding of the newly implemented policy, procedure or control and—based on professional judgment—determine if sampling of current activities is practical or if detailed testing should be performed during the next independent testing cycle.

• Reporting results:

  • MRA validations are either typically validated or not validated by the party performing the validation. If there are material observations identified during the validation testing that indicate meaningful issues within the newly implemented policies, procedures and/or controls, the assessment results in a non-validation. Validation occurs when issues are addressed and the corresponding policies, procedures and/or controls are appropriately designed, operating effectively and sustainable.
  • Independent testing reports are typically designed to identify observations and recommendations resulting from the activities conducted. Independent testing is also designed to provide a set of observations and recommendations for monitoring gaps in regulatory requirements or expectations, regulatory concerns, deviations from policies and procedures, or for future improvements to the BSA/AML program. These observations may or may not be material, and the existence of observations does not preclude a BSA/AML program from achieving a positive rating.

• Governance process:

  • When performing MRA validations, consideration is given to the design, implementation and sustainability of any corrective actions. For example, if a new procedure is designed and implemented by management, the expectation is that the validation approach would include assessing tasks such as whether the financial institution’s internal approval processes were followed, whether the procedures were disseminated to the applicable personnel and whether training was provided on the new procedures. It is also expected that management will provide evidence of sound governance and documentation of their rationale for decisions made and actions taken.
  • Independent testing typically considers the institution’s governance of the overall AML program in addition to governance over specific areas, which may include reports to the board or other governance committee, the compliance organizational structure and lines of reporting, and the emphasis on the “Culture of Compliance.”⁵

Both independent testing and MRA validation are designed to assist banks in assessing whether sustainable policies, procedures and/or controls are in place, but each have their own applications. Strong control functions—whether supported through independent testing and/or MRA validation—are necessary for banks to maintain effective operating environments, meet regulatory expectations and protect their reputation.

Peter Fitzgerald, Deloitte Risk and Financial Advisory principal, Deloitte Transactions and Business Analytics LLP, New York, NY, USA, pefitzgerald@deloitte.com

Scott Zucker, Deloitte Risk and Financial Advisory manager, Deloitte Transactions and Business Analytics LLP, New York, NY, USA, szucker@deloitte.com

Joanna Marathakis, Deloitte Risk and Financial Advisory manager, Deloitte Transactions and Business Analytics LLP, Boston, MA, USA, joamarathakis@deloitte.com

1. “SR 13-13 / CA 13-10: Supervisory Consideration for the Communication of Supervisory Findings,” June 17, 2013, https://www.federalreserve.gov/supervisionreg/srletters/sr1313.htm
2. “Office of the Comptroller of the Currency, Bank Supervision Process”, pages 40-41, June 2018, https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/bank-supervision-process/pub-ch-bank-supervision-process.pdf
3. “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept ” U.S. Government Publishing Office, https://www.gpo.gov/fdsys/pkg/BILLS-107hr3162enr/pdf/BILLS-107hr3162enr.pdf
4. “Customer Due Diligence Requirements for Financial Institutions,” Federal Register, May 11, 2016, https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions
5. “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance,” Financial Crimes Enforcement Network, August 11, 2014, https://www.fincen.gov/sites/default/files/shared/FIN-2014-A007.pdf