AML compliance reminds me of a classic Three Stooges scene from A Plumbing We Will Go (view episode here) – Curly, as one of the plumbers, continues to add pipes to a leaking bathtub, only to be surprised when the water continues to come out of the end of the pipe, and so on — you will get the picture.
We all know about the four pillars of AML compliance. Excuse me for ignoring them and moving on to a broader, and hopefully more helpful look at AML compliance elements. Instead of using pillars (with lots of surrounding air), I prefer to look at ten key functions that every AML compliance program for a financial institution should have.
Unlike some other risk assessments in the compliance field, there is value to conducting a risk assessment in the AML space. Looking at geography, business and individual relationships, and numerous product lines, the risk assessment can help to organize risks, focus on measurement and look at remediation. The exact design and tailoring of the compliance program should be laid on a foundation created by the risk assessment.
The 10 key elements include:
Board and CEO commitment to AML compliance program: Too many financial institutions suffer from poor tone-at-the-top because of competing demands and lack of commitment. The Board and CEO commitment, means more than just lip service; it means real hands-on dedication, communication and the personal touch to ensure that every business person views compliance as part of their duties and not just the compliance department.
Designated AML compliance officer with appropriate resources: A designated AML chief compliance officer should have adequate resources to support the financial institution’s compliance program. When it comes to resources, a CCO does not just need personnel; CCOs need real investment in technology because and AML program is only as good as its software for organizing financial information, customer data, and filtering transactions.
Comprehensive Policies and Procedures: Written policies and procedures covering the full gamut of AML compliance issues are important. Financial institutions need a solid, written foundation to every component of the program. The policies and procedures have to be accessible to relationship managers, branch managers and other financial sales persons.
Know Your Customer (“KYC”) program: Customer risk assessments should be conducted during the on-boarding process, and should be re-evaluated when new, relevant information is learned, or when a customer expands into a new high-risk area, or negative media is discovered. A KYC program is an important initial data gathering function that should focus on the types of products and services; the expected pattern of activity in terms of transaction types, dollar volumes and transaction frequency; geographic location of business and financial activity; and status of high-risk individuals.
BSA Record Keeping and Suspicious Activity Report controls: A compliance program is required to designate a BSA officer, who should be separate from the overall CCO (depending on size of bank). Financial institutions have to maintain comprehensive records, especially concerning suspicious transactions, the assessment of such transactions, and the decision whether to file a SAR.
AML Training: Financial institutions have to devote significant resources to training. Financial institutions have so many employees on the “front line” interacting with customers that the number of risks are exponential. Training employees who each have responsibilities for compliance reporting, information gathering and following elevation procedures is critical for an effective AML program. Too many financial institutions have been dinged for their rote or by-the-book AML training programs.
OFAC Sanctions Compliance: In this age of ever-shifting sanctions laws and regulations, AML compliance program have to attend to OFAC screening of customers as part of BSA/AML compliance. It is easy to violate a sanctions regime and easy to comply by screening transactions and customers.
Robust Reporting Requirements: An AML system has to build in reporting requirements to ensure that information is passed within the compliance program to necessary personnel and compliance officers. A compliance program is only as good as the communications that occur within the organization. Information that stays with one person and is not shared is deadly to the operation of an effective AML program.
Ongoing Monitoring and Testing: Financial institutions have to become more flexible when it comes to monitoring and auditing their compliance program. An AML program generates lots of data and provides more than enough metrics to measure the compliance program. Trends need to be updated on an ongoing basis. Independent evaluations and testing should be conducted annually, and the report should be provided directly to the CEO, senior management and the Audit Committee.
Suspicious Activity Audits: Financial institutions are at greater risk not only for failing to file SARs, but for failing to provide adequate information. A financial institution should conduct an annual SARs audit to determine if the controls are operating effectively, that potential SARs are being screened consistently, and when filed, are done so with adequate information.