FCC Testing Within the Banking Industry

What is financial crime compliance (FCC) testing? A report by PwC uses the following definition,

“Compliance testing can be defined as a periodic, independent and objective assessment of compliance-related processes and/or controls. The aim of compliance testing is to assess whether the elements, processes and controls of the compliance programme are designed appropriately and are operating as designed.”1

To combat financial crime, the Federal Financial Institutions Examination Council (FFIEC) advises banks to maintain an “effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors and management should create a culture of compliance that ensures staff’s adherence to the bank’s BSA/AML policies, procedures and processes.”2 The FFIEC further defines internal controls as “the bank’s policies, procedures and processes designed to limit and control risks and to achieve compliance with the BSA.”

Within the context of the banking industry and consistent with the “three lines of defense” model, the business units/functions (e.g., front office) are the first line of defense, which own and manage risks while being responsible for developing internal controls related to the Bank Secrecy Act/anti-money laundering (BSA/AML) risks. Compliance functions are part of the second line of defense, which oversee and monitor risk while maintaining responsibility for an effective anti-money laundering (AML) compliance program. This also includes establishing a control framework to ensure that the bank adheres to internal and external standards. Internal audit (IA) is the third line of defense, which provides independent assurance and performs testing and reporting on the overall state of the AML compliance program, including direct testing of the first line of defense.3

Accordingly, the compliance testing function typically sits within the second line of defense and includes activities focused on FCC4 testing. Many times, FCC testing is performed by a dedicated and stand-alone testing team to verify that internal controls within the first and second lines are reasonably designed and working to manage financial crime5risk. Similar to IA, the FCC testing function may test business units and other compliance functions. However, the reporting line is to the bank’s chief compliance officer, whereas IA reports are directly to the bank’s board of directors.

Why Is FCC Testing Important?

In general, testing programs allow institutions to understand what works and what does not, including the ability to measure the effectiveness of internal controls. The results of a well-established FCC testing program should demonstrate and signal to regulators whether expectations are being met, and whether a bank is equipped to identify and address potential FCC issues. This includes whether the organization is compliant with applicable financial crime laws, regulations and internal standards.

As noted in Supervisory Letter SR 08-8 by the Board of Governors of The Federal Reserve System,

“[C]ompliance testing is necessary to validate that key assumptions, data sources and procedures utilized in measuring and monitoring compliance risk can be relied upon on an ongoing basis and, in the case of transaction testing, that controls are working as intended.”6

In addition, to ensure that the testing adds value, the program should support a “dynamic, risk-based, independent compliance oversight process designed to periodically select and review a sample of business products, services, communications and other areas to gauge and report on the operating effectiveness of compliance controls and/or adherence to stated policies and procedures.”7

What Does an FCC Testing Program Look Like?

While compliance testing programs may take various forms, the following is a general depiction of components that make up a robust FCC testing program.

Annual Planning

A critical tool to determine what the FCC testing team will test and how is a formalized annual compliance testing plan that outlines a risk-based schedule of testing reviews over a multi-year period. The testing plan can be seen as a road map that informs preliminary decisions regarding future testing activities such as:

  • The review topic/area: business area, relevant risk/control categories
  • The timing of the review: relevant quarter/year
  • The type of review: limited scope, full scope
  • The objective of the review: what the results of the testing are intended to show

An increasingly important practice is to develop the plan using a defined “universe” of potential testing areas or units that are each assessed and risk-rated via a combination of quantitative8 and qualitative9 inputs. The universe should cover all relevant financial crime risks (e.g., customers, products/services, transactions, markets/geographies) and other areas (e.g., mitigating controls, business functions, organizational entities) that may warrant potential testing coverage.10

The resulting risk profile for each of these areas/units will drive the extent of testing coverage and determine how and where they fall on the annual plan. A good starting point for sourcing this information is the bank’s pre-existing compliance risk assessment, and other self-assessments that have already collected financial-crime-related information for the areas within the FCC testing universe.

Additional components to consider when developing the testing plan include:11

  • Existing or prior testing coverage, including internal and external examinations
  • Areas where there is a regulatory expectation or mandate to review the area
  • Changes/additions since the last testing review (e.g., in regulations, business practices, products/services, risk, controls)
  • Relevant issues or risks that are trending in the industry
  • Information collected and/or learned through ongoing compliance monitoring

Core Activities for FCC Testing

Activities performed as part of the compliance testing program generally include the following:

  • Executing testing reviews to assess the design and effectiveness of controls aimed at mitigating FCC risk
  • Identifying and escalating control weaknesses to senior business and compliance management
  • Coordinating with compliance and business groups to develop corrective action plans where control gaps are identified
  • Ensuring that corrective actions have been implemented sustainably

The Lifecycle of an FCC Testing Review

The following is the typical lifecycle of a testing review:

  1. Planning: initial research and activities to understand and define the scope and objectives of the review
  2. Fieldwork: execution of testing, including assessing and documenting testing results
  3. Reporting: the drafting and issuance of a final report to senior management and stakeholders conveying the results of the completed review
  4. Corrective Action Development: creating corrective actions to address the root cause of identified issues

Other Considerations

Additional components of a strong testing program might include:

  1. Policies and procedures
  2. Internal management reporting
  3. Work paper management (e.g., a work paper system or method for housing and performing testing work)

The Evolving Nature of FCC Compliance Testing

The concept of compliance testing has evolved significantly over the past decade, particularly with respect to testing FCC activities. In part, this includes the current regulatory landscape, where compliance with financial crime rules, regulations and internal standards is a top priority. Continued fines and penalties for banks that deviate from maintaining a strong framework of internal controls are evidence of this.

As reported by ACAMS moneylaundering.com,

“Federal enforcement of U.S. anti-money laundering rules jumped nearly 30 percent in 2018…. Nearly half of the 71 total enforcement actions issued last year by the Financial Crimes Enforcement Network, Office of the Comptroller of the Currency, Federal Reserve and Federal Deposit Insurance Corp., or FDIC, targeted institutions and individuals that violated AML rules, and roughly half of those AML-related actions came with monetary penalties.”12

According to a 2017 financial services’ compliance testing survey, financial institutions are continuing to improve their compliance testing programs and focusing on aligning testing across the three lines of defense, including additional focus on resourcing needs and leveraging technology as well as data analytics.13

Banks are naturally recognizing the need to grow steadily and/or enhance their compliance testing functions. Compliance testing teams are also beginning to adopt an “IA” way of thinking and operating. This may be due in part to the compliance testing functions being held to similar standards as the IA department by both IA teams and regulators. It should not come as a surprise that compliance testing is an area that is expected to expand and gain more attention over the coming years.

Jonathan Estreich, CAMS-Audit, CFE, director, Société Générale, New York, NY, USA, editor@acams.org

The views expressed in this article are solely of the author and do not represent the views or opinion(s), directly or indirectly, of his employer or any person or organization associated with the author.

  1. Véronique Besson, “How can your organisation perform effective and efficient compliance testing?,” PwC, April 2018, https://www.pwc.ch/en/publications/2018/pwc_ch_white%20paper_can%20your%20organisation%20perform%20effective%20compliance%20testing.pdf
  2. “BSA/AML Compliance Program—Overview Core Examination Procedures for Assessing the BSA/AML Compliance Program,” Federal Financial Institutions Examination Council, 2015, https://bsaaml.ffiec.gov/manual/ComplianceProgram/03
  3. Ibid.
  4. BSA/AML
  5. “Setting the pace: How financial institutions are staying ahead of changes in the compliance testing arena,” PwC, July 2018, https://www.pwc.com/us/en/industries/financial-services/library/pdf/pwc-fs-compliance-testing.pdf
  6. FCC testing as used herein refers to testing related to risks associated with money laundering, sanctions exposure and terrorist financing.
  7. The term “financial crime” as used herein refers collectively to money laundering, sanctions exposure and terrorist financing.
  8. “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles,” Board of Governors of the Federal Reserve System, October 2008, https://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm
  9. Testing and Monitoring: The Fifth Ingredient in a World-Class Ethics and Compliance Program,” Deloitte, 2015, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-testing-and-monitoring-the-fifth-ingredient.pdf
  10. Quantitative inputs generally refer to factors that can be measured, counted and expressed in numeric terms and involve data/metrics that can be used to draw calculations, such as the number or percentage of high-risk customer types within a specific business.
  11. Qualitative inputs generally refer to factors that are not as easily measurable, such as information that is descriptive and conceptual in nature. This often involves professional judgement and subject-matter expertise and might include more general questions, such as whether the state of the control environment around a specific high-risk customer type is working as intended.
  12. Jonathan Estreich, “How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing,” ACAMS, December 2013, http://www.acams.org/wp-content/uploads/2015/08/How-to-Build-an-Audit-Risk-Assessment-Tool-to-Combat-ML-and-TF-Jonathan-Estreich.pdf
  13. “Compliance Testing Plan – When?” Mortgage Banker Magazine, https://www.mortgagecompliancemagazine.com/weekly-newsline/compliance-testing-plan-2/
  14. Daniel Bethencourt, “US AML Enforcement Returned in 2018,” ACAMS moneylaundering.com, April 2019, https://www.moneylaundering.com/news/us-aml-enforcement-continued-climbing-in-2018/
  15. “Setting the pace: How financial institutions are staying ahead of changes in the compliance testing arena,” PwC, July 2018, https://www.pwc.com/us/en/industries/financial-services/library/pdf/pwc-fs-compliance-testing.pdf

Leave a Reply