After 13 years of working in the anti-financial crime (AFC) field for three financial institutions (FIs)—each with a different regulator—in addition to working closely with peers from all types of FIs, it has become evident that the description “one size fits all” does not apply to anti-money laundering (AML) and economic sanctions regulatory exams. Although the federal functional regulators in the U.S. utilize the Federal Financial Institutions Examination Council’s (FFIEC) “Bank Secrecy Act (BSA)/AML Examination Manual” to guide their exams, how regulatory compliance requirements are interpreted and applied to the FI being examined can vary for each regulator and individual examiner. This topic has often been discussed over the years at industry conferences, in peer groups, articles, webinars, congressional hearings and so on.
With different types of FIs subject to regulatory compliance requirements and regulatory agencies having varying mandates and focuses, preparing for an exam can be a daunting task. However, there are plenty of steps an FI can take to prepare for an exam, regardless of the industry and primary regulator. Preparation is critical to a successful exam and will ultimately strengthen the FI’s AFC program.
As the old adage goes, “Nobody plans to fail. They just fail to plan.”
Documents such as the FFIEC “BSA/AML Examination Manual” are helpful and should be consulted when building effective AML and sanctions programs. Conversely, enforcement actions brought against FIs should be closely reviewed as they provide insight into everything FIs should and should not be doing. Some contain detailed information about the decisions, or lack thereof, made by FIs that led to the enforcement action (e.g., capping alerts, failure to open case investigations, turning a blind eye to suspicious activity or economic sanctions violations), while others provide high-level information (e.g., failure to implement adequate AML and sanctions programs or lack of an enterprise-wide AML and sanctions risk assessment). Regardless of the level of detail, it is critical to read and analyze each enforcement action thoroughly as they provide information about violations, other program weaknesses, reoccurring compliance and risk issues, as well as instructions on steps FIs are required to take to address the problems. Moreover, FIs can be assured that the examiners have read the enforcement actions and will check during an exam if the FI has similar issues.
The following are some steps to consider when analyzing enforcement actions:
- Document each issue and compare the FI’s controls to address them. This enables management to determine the risk their institution faces of incurring an enforcement action and to consider enhancements to their controls to avoid one (See Table 1).
- Analyze enforcement actions regularly. This analysis should not be a one-time exercise, but something performed with each new enforcement action and revisited periodically, such as during the enterprise-wide AML and sanctions risk assessment or in the months prior to an exam.
- Share results with the board of directors, senior management and the AML and sanctions oversight committee, or any other similar committee. Also consider sharing the analysis with the FI’s lead examiner.
Quality Assurance Testing
While an internal audit or exam will provide feedback on the strength of the FI’s AML and sanctions program as a whole, the reviews can be broad in scope. In addition, examiners and auditors typically have a limited period of time to complete the review. Therefore, a deep dive into all areas of an AML and economic sanctions program tends to be more difficult. Quality assurance (QA) testing—depending on how the QA program is structured—can be nimbler and allow for a much deeper dive. The following are ideas on how to structure a robust QA program to help build a strong program:
- Focus testing on areas that pose a higher level of risk to the FI.
- Focus testing on areas where exceptions have been identified either by internal audit, the examiners or management.
- Increase testing and place more focus on major AML and sanctions processes, such as alerts, case investigations, suspicious activity reports (SARs) and enhanced due diligence (EDD) reviews of high-risk customers.
- Perform QA testing of areas that have never had a review performed before (e.g., newly implemented software, monitoring scenarios, areas where new procedures have been rolled out or existing procedures have been significantly modified, new controls implemented for new products or services).
Lastly, be sure to develop a QA program procedure and a scope document for each area tested and report the findings and status of recommendations to appropriate oversight committees. Do not be afraid to adjust the testing plan by removing or delaying planned reviews based on changing priorities, the discovery of new issues, implementation of new high-risk products or services, or the findings from an exam. The goal should be to focus review efforts where they are needed to strengthen an FI’s AML and sanctions program and not become another internal audit function. The combined efforts of internal audit and QA reviews will prepare an FI for a successful exam.
Prior Exam Requests
As part of the exam management process, every request, question and compliance issue raised by examiners, as well as the outcome, should be documented. Not only is this beneficial from the standpoint of ensuring the requested information was provided in a timely manner and the issue(s) was adequately addressed, but this information will also help when preparing for future exams. For example, reviewing this list in the months leading up to an exam can help identify areas that the examiners have and may focus on, including specific customers or industries that the examiners focus on year after year. Doing so gives management the opportunity to ensure there are no gaps or other deficiencies, and that the appropriate focus of these areas and controls are in place.
Enterprise-wide AML and sanctions risk assessments document inherent risks faced by an FI, help guide an FI in building its AML and sanctions programs and are an important part of an exam. Examiners utilize risk assessments to learn about the inherent risks faced by an FI and determine where further testing should be performed. While the executive summary of the risk assessments will highlight inherent risks at a high level, it will typically not include details examiners need to understand the inherent risks faced by an FI and the corresponding controls to mitigate those risks. Further complicating matters is the length of many risk assessments, which makes it difficult for examiners to parse out the inherent risks faced by an FI.
Many FIs have experienced a situation where a perceived risk is identified or misunderstood by an examiner based on the information provided (or not provided) during an exam. If this happens, it is easy for the FI to find that digging its way out of the initial assessment can be difficult. One way to avoid this problem is to document the FI’s top inherent risks, mitigating controls and gaps in a memo or presentation to explain why they are considered the most significant inherent risks faced by the FI. Lastly, and most importantly, schedule a meeting with the examiners as soon as they are on-site, or even before they are on-site, to discuss these inherent risks, controls, gaps, etc. Doing so limits surprises, confusion and misinterpretation during the exam.
Working closely with peers can help an FI benchmark its AML and sanctions programs
Examiners have a short window of time to review the risk assessments and assess an FI’s risks. So documenting inherent risks and controls in a clear and concise manner is important.
Not enough can be said about building relationships with colleagues at other FIs and joining peer groups. Staying in regular communication (e.g., phone calls, email distribution lists, surveys or in-person meetings) with peers to discuss problems and solutions—as well as to learn about what examiners focused on during a recent exam—will help FIs prepare for their upcoming exam and strengthen their AML and sanctions programs. For example, these discussions could reveal that an examiner focused on a specific aspect of the FI’s EDD program, such as how the FI developed their customer risk-rating tiers and justification for placing certain customer types in one tier versus another. This knowledge should result in an internal team meeting to discuss how well the FI would respond to these questions during an exam and if any enhancements can be made to strengthen this specific element of the FI’s EDD program.
Furthermore, working closely with peers can help an FI benchmark its AML and sanctions programs. For example, peer FIs can work together to evaluate new compliance regulations (e.g., AML Act of 20201) or new money laundering or sanctions risk. Peer FIs can also benchmark appropriate staffing levels based on asset size, AML and sanctions risks, false positive alert ratios and collaborate on technology initiatives. These actions will help FIs design or enhance their programs as well as build a consistent approach to conforming with regulations and other requirements.
Contrary to popular belief, regulators are not out to play a game of “Gotcha.” While they must ensure FIs adhere to regulatory requirements, regulators have a vested interest in seeing FIs succeed in protecting the financial sector. An important aspect of this is the relationship an FI’s management has with the lead examiner and the exam staff. The following are two ways a regulator can be engaged to build a good relationship:
- Set up regular meetings with the FI’s lead examiner and reach out when questions arise regarding a significant process change management wants to implement or a new risk-based approach to increase efficiencies. Do not expect the lead examiner to grant approval for the change or enhancement. These discussions are an opportunity to learn the examiners’ perspective. Just as important, these discussions will give the lead examiner a heads up to significant program changes prior to the exam.
- Set up a kick-off meeting to present the FI’s AML and sanctions programs and any significant changes since the last exam. Additional kick-off meetings could cover higher-risk areas (e.g., trade finance, money services businesses) or any areas the examiners have an interest in reviewing. These meetings will provide the examiners with information they may otherwise have to seek out during the exam and will help answer many of the questions they have before the review begins.
If management starts an exam with a defensive mindset and compounds that with poor communication, the FI is unlikely to have a successful exam. Taking a more positive approach and establishing an open dialogue with examiners will help achieve better exam results. This does not mean the exam will be issue-free; but a more positive approach and maintaining regular discussions with the examiners will help management and the examiners work through issues in a more productive and constructive manner. An added benefit to building a good relationship with the regulator and lead examiner is that they may be more willing to share best practices implemented at other FIs, such as approaches to tuning monitoring scenarios and dealing with negative news screening results.
While there is always room for healthy pushback between FIs and examiners, finding common ground is an important factor in a successful exam.
Ultimately, the key to success is to keep exam preparation top of mind throughout the year and not start right before an exam or stop shortly thereafter. In fact, the months preceding and following an exam are an important time to take stock of where an FI’s AML and sanctions program stands in complying with regulatory requirements, as well as achieving industry best practices.
Taking a more positive approach and establishing an open dialogue with examiners will help achieve better exam results
While the advice provided above does not include everything that should be considered to prepare for an exam—and for some FIs may not be feasible given staffing and budget constraints—many of the recommendations are easy to implement regardless of asset size, staff size, regulator and so on. These steps have been tested and will help FIs have a successful exam. Ultimately stronger AML and sanctions programs will be established that achieve the goals of protecting the FI, protecting the financial sector and advancing national security objectives.
Chris Bagnall, CAMS-FCI, CFE, Sojourn Technologies, Bagnall@sojourn-technologies.com
- “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021,” H.R. 6395, https://www.govtrack.us/congress/bills/116/hr6395/text