No matter if you are new to the Money Services Business (MSB) compliance world or are a seasoned professional, facing an audit can be challenging. While 31 U.S.C. Section 5318(h) of the Bank Secrecy Act (BSA) states that every MSB is required to have an independent review to "test, monitor and maintain its anti-money laundering program," the law does not spell out how often or what should be involved in the review. As the compliance officer, those decisions fall squarely on your shoulders. Whether you think of it as an audit or a program review, the process takes a long, hard look at your policies and procedures and you must be prepared. But for some facing the challenge, the review process can feel like a mystery. Here, three MSB compliance experts demystify the process and share tips on getting the most out of your audit.
Preparing for the Review
"The fact that the regulation doesn't state how often an MSB should have a review was a deliberate decision," said Al Gillum, CAMS, president of Advanced Compliance Technologies, LLC, and a retired postal inspector who helped the U.S. Postal Service establish its independent review process. "Your review schedule should be risk based. You should look at the size and the scope of your organization and the type of risk involved in your products to decide how often you need a review. Are you dealing with anonymous transactions like money orders or are most of your transactions with vetted accountholders? Maybe once a year is enough or maybe you need to have one more often."
Deciding how often is only the first step of the process. Equally important is deciding who will be doing your review. In a large corporation the audit could be performed by another group in the company while a smaller MSB might need to seek an outside resource. Either choice is acceptable, as long as the reviewer is independent of the compliance office. But independent does not mean the compliance office is not involved.
"The auditors are going to be in control of the evaluation," Gillum said. "But certainly the compliance officer should be fully aware of his or her own program and would know areas or issues that should be addressed. An independent review is a two-way street and the compliance officer has a right to ask for certain areas to be looked at."
When preparing for a review, Gillum recommends the following steps:
- Choose an auditor that is familiar with your industry and business line. Also, regulations vary from state-to-state, so make sure you have a reviewer who is familiar with the states in which you operate.
- Outline any specific concerns that you may have about your program or areas you want to test. Discuss these during the preconference meeting and ensure they are included in the review process.
- Keep communication lines open. "Assess your working relationship with the reviewer," Gillum said. "Does the auditor have an 'I got you' or 'I'm really here to help you' attitude?"
- Have your documents ready. During initial meetings, the auditor will outline materials needed for the review. Provide all of the information needed to do an in-depth review of your organization.
- Be prepared to provide information on recommendations from previous reviews and actions you have taken. "An independent review should always look at prior recommendations and see if they have been implemented," Gillum said. "That is a major issue."
- Brief your compliance team on the entire process and ensure that the staff provides the auditors with total and complete cooperation.
The Audit: What to Expect
During the audit, the independent reviewer will be examining both your stated policies and procedures, as well as how well your actual practices conform to the set standards, said Jeff Ross, senior vice president, BSA/AML/OFAC officer at Green Dot Corporation and former U.S. Department of the Treasury senior advisor (law enforcement) in the Office for Terrorist Financing and Financial Crimes. "The auditor is going to focus on what your requirements are and if the requirements are being met. They are going to look at your policies and procedures and will want to see all of the documentation."
To ensure that your company's practices meet the standards set by your written policies and also meet legal requirements, the auditors will review daily transactions, your procedures for opening and closing accounts if applicable and your federal reporting practices. "The auditors will review all transactions for a set period of time and see if those transactions comply with your policies and procedures," Ross said. "The auditors will look for chokepoints and red flags in your processes." Expect the auditors to review the following areas:
- How you identify and verify your customers, and your OFAC reviews.
- To what extent you monitor the sale of your products once CIP has been completed successfully. For example, the number of products sent to the same address, or associated with the same phone number or email address.
- If and how you aggregate transactions associated with the customer's identification.
- How you review and track money/funds coming in to the system. Depending on the type of MSB this could include the frequency of cash or ACH/DD loading, the value of the load/purchase, or the number of accounts/purchases tied to one individual.
- The frequency you review load/spend/pull transactions. Do you perform reviews on a daily, weekly or monthly basis?
- The value and number of foreign transactions both coming on to your system and being spent/pulled abroad.
If your company has accountholders, expect the auditors to review your opening and closing procedures as well. "For example at Green Dot we require all accounts to have a verified Social Security Number," Ross said. "During the review, the auditor will look at the accounts we've opened during the last two years to see if they all have a verified Social Security Number and if there is a verification code on file. They also look at the accounts we've closed to see if we are hitting the right cards and if the cards were closed correctly based on our policies."
If you file Suspicious Activity Reports (SARs), the auditors will examine SARs filed during the review period to see if they meet reporting requirements and also if the narrative text describes the transactions correctly. Last, but not least, the auditors will review your AML training program.
"They will look at the number of people you have, what their backgrounds are and what kind of training they have had," Ross said. "They are going to look very hard at your ongoing companywide employee training program and will want to review your training deck and the policies you have established. At Green Dot, every employee receives AML training, from new hires all the way to senior management. I train the board and the CEO myself every year."
The Final Report is Just the Beginning
When the final review arrives, the process is not over. The report can be a great tool to help you enhance your program. "It provides additional ways to help you meet regulatory requirements beyond where you are now," Gillum said.
Take time to evaluate the validity of the audit report as your review it. Does the report meet the objectives and the parameters set during your initial meeting? Are findings in the report supported by the facts presented and do the recommendations adequately address the problems identified? "If it is done well, the review should be a roadmap of how to make improvements," said Jeffrey Sklar, CPA CAMS, managing director of SHC Consulting Group. "That is the core reason for having the review. It provides a way to improve the overall program."
The report is also a multi-purpose tool that can be used to demonstrate the depth and scope of your compliance programs to both your regulators and your financial institution. "You hear about banks closing MSB accounts because they are too risky," Sklar said. "If the report is robust and covers a lot of areas, it provides the institutions (banks) with the information they want to see. It's about building credibility."