AIMing for Excellence: Optimizing the BSA/AML Training Program as an Effective and Efficient Control, and Audit s Contribution to this Pursuit

Transcription

1 AIMing for Excellence: Optimizing the BSA/AML Training Program as an Effective and Efficient Control, and Audit s Contribution to this Pursuit Kathleen O. Smith, CAMS-Audit

2 Table of Contents Page Executive Summary 2 Background 3 Attributes of an Optimal Training Program 4 Framework of an Optimal BSA/AML Training Program 6 Audit s Approach and Expectations for Training Program Review 8 Business Process to Capture Audit s Review Comments and Incorporate into Training Program 10 Conclusion 12 Page 1

3 Executive Summary Compliance professionals within financial institutions strive constantly to achieve best in class, and generally view training as a critical tool in achieving this pursuit. Training can truly be an organization s first, last and best control. Despite the best intentions, budget and resource considerations may present formidable challenges in this endeavor. An organization's Bank Secrecy Act/anti-money laundering (BSA/AML) training program should be dynamic and continuously assessed, improved and maintained given audit outcomes, in concert with the overall BSA/AML program. This paper s objective is to illustrate audit s key contribution in the organization s design, delivery and management of training. Consideration throughout will be given to training as an optimal control, using a continuous program enhancement approach. This paper is intended to complement the audience s training design, delivery and management toolkit by engaging audit as collaborator to achieve a more effective and efficient continuous program enhancement. The target audience is principally financial institutions relatively new to regulation and those for whom resource and budget considerations are formidable. Ideally it will also be a useful resource to a broad audience comprised of compliance, audit and business professionals within the financial services sector. This paper will primarily use experience-based resources to validate the conclusions reached. When possible, industry voices of experts will be referenced. Additionally, details will be provided on associated processes suggested to achieve desired outcomes. Key focal areas will include: Attributes of an optimal training program; Framework of an optimal training program; Audit s approach and expectations for a training program review; and Business process to capture audit s review comments and incorporate into training program, with consideration given to continuous people, process and platform/technology enhancements to achieve overall continuous program enhancements. As the compliance environment becomes increasingly more demanding, draining already scarce resources with its expectations for excellence, organizational focus on efficiency and effectiveness continues to grow and evolve. The solutions to this approach are not new and can be found within the day-to-day operations of business, compliance and audit. This paper is designed to serve as a useful resource and tool to foster and strengthen dialogue and collaboration among all constituents in this striving for efficiency and effectiveness, while ensuring that compliance continues to be good business and everyone s business. Page 2

4 Background There is little doubt that financial institutions are constantly striving for excellence in BSA/AML training program design, delivery and deployment, as well as the overall BSA/AML program off which training drives. Significant literature and guidance are available in this arena, particularly the dynamic Federal Financial Institution Examination Council (FFIEC) BSA/AML Examination Manual, most recently updated in However, when addressing the optimal process for this design, delivery and deployment, approaches can vary significantly given such organizational considerations as business scope, resources and time within the regulatory community. Aiming for Excellence 1 may seem challenging, as it comprises numerous steps: a process of continuously assessing what is necessary; continuously improving processes and controls to ensure appropriateness; and continuously maintaining program excellence through an effective control process. The intent of this approach is not to add an additional level of work, or create a stand-alone activity, but rather to leverage the lines of defense or layers of opportunity that are in place. Compliance and audit are, after all, reliant upon the organizational business activities either in place or in continuous development given ongoing expectations. If the business is continuously assessing, improving and maintaining its processes, compliance and audit s roles of validation and advisement become invaluable in this continuous improvement process. To further elaborate on the rationale of this paper, it is helpful to provide a definitional breakdown of the key components: Optimizing, or optimization, includes finding the best available outcome. Effective, or effectiveness, is the capability of producing a desired result. Efficient, or efficiency, describes the extent to which time, effort and cost are well used for the intended task or purpose. It is often used with the specific purpose of relaying the capability of a specific application of effort to produce a specific outcome effectively with a minimum amount or quantity of waste, expense or unnecessary effort. 2 While these definitions and approaches are well known among this paper s audience, it is often helpful to remind ourselves and our organizational constituents of these as days become shorter and requirements become greater. Efficiency and effectiveness are not luxuries but necessities given the time it takes daily to achieve such well-known compliance philosophies as: trust but verify; if you do not document, you did not do it; if you document, you do; and when in doubt, take the conservative route. A focus on the 1 Approach developed by author based upon prior work with process efficiency and Six Sigma experts 2 Wikipedia, the free encyclopedia Page 3

5 continuous cycle of assessing, improving and maintaining with audit s help can turn this challenge into an invaluable opportunity. Attributes of an Optimal Training Program Comprehensively reflects compliance and governance expectations; Guides population on process-specific means to achieve expectations; and Embraces existing and/or newly defined business processes as foundation to achieving expectations. Each of the above-referenced attributes can be accomplished more efficiently and effectively by leveraging the lines of defense or layers of opportunity. While everyone within an organization is responsible for a level of knowledge associated with regulatory requirements, given the nature of the various activities, the depth of necessary knowledge may be greater depending upon the roles and responsibilities. Thus, recognizing and embracing the knowledge of the experts among all organizational constituents can be beneficial in achieving an ideal depth and breadth of training. Guidance from the regulatory community as well as law enforcement can also play a major contributory role in optimizing the training program. One of the most simple, but sometimes overlooked ways to stay current with emerging AML risks is to cultivate and develop contacts with law enforcement agencies. While there are obvious barriers to sharing certain information, law enforcement officers can sometimes provide insights into new money laundering schemes, red flags that are important for current risks, and emerging crime patterns that may be specific to your bank s location(s). 3 While the overlay of an optimal training program may be the comprehensive coverage of the regulatory expectations, the foundation built upon existing and/or newly defined business processes with appropriate process-specific guidance is the beginning of the path to efficiency and effectiveness. The business cycle can be reflected as a continuum over which the requirements can be laid: Policy = defines the requirements and the rationale behind them (i.e., the what and why); Procedures = highlights the who, when, where and how associated with the requisite requirements; Process = generally details the step-by-step particulars of the procedures; Controls = reflect the checks and balances which are in place to govern the process, procedures and policy; and 3 ABA Bank Compliance, Nov-Dec 2013, Managing an Effective AML Program, by John H. Atkinson, CAMS Page 4

6 Practice = evidences what is actually occurring, which may or may not be consistent with expectations, thus resulting in audit and regulatory review outcomes which prompt refinements. From a training program design, delivery and management perspective, embracing the referenced continuum lends to efficiency and effectiveness. As regulatory requirements change, the continuum should be changing to reflect the most current state. As regulatory requirements prompt policy change, training content reflective of policy becomes a given. It also becomes a good check and balance, or control, to ensure that current state is always in place. This is also true with procedures and process, which help to more fully define the most appropriate training population and frequency, coupled with the methods of delivery to best fulfill the training requirements. Fortunately, given the risk-based approach, which has become the norm, risk considerations contribute to ensuring that the depth and breadth of policy, procedure, process and controls is appropriate to the risk. They also contribute to the pursuit of efficiency and effectiveness. While all of the above make good common sense, the daily pressures, burdens and costs of everyday business and compliance life tend to result in diversion from this approach. When demands become overwhelming, a reminder of the basic business continuum aligned with associated risk can be useful. Most importantly, documentation reflecting this continuum and the rationale behind it can go a long way toward achieving satisfactory outcomes in audit reviews and regulatory examinations, as well as business strategy and general compliance well-being. Each training topic has an expert or experts within the organization who can be leveraged to assist in ensuring that appropriate training is in place without recreating the wheel. While business professionals may not be the resident experts when it comes to regulation, they are truly the experts when it comes to business and the requisite processes associated with optimizing business value. Thus, defined and documented business process established by the resident business experts becomes an effective and efficient first step in the assurance of appropriate training. While the business process may be a good first step, regulatory expectations which drive compliance and governance expectations are a necessary component. The compliance and legal communities are generally the drivers of these expectations, with audit playing a key validation role. While Audit is certainly expected to be an objective third party in this endeavor, its value cannot be underrated. Audit is not only an expert, but can also serve as an invaluable guide and font of knowledge capital, which can be embraced by both the compliance and business communities. Page 5

7 As a former internal examiner in commercial banking, the author directly experienced the reluctance of the business community to embrace this referenced role as advisor. However, as the voice of this role was truly the last step before the regulator s voice was made known, it was imperative that our knowledge base was extremely comprehensive and our mission to ensure all issues were identified prior to regulatory review was clear among all. Initial resistance to the time and resource demands of internal reviews quickly dissolved as the business professionals realized that our time spent and outcomes communicated were in fact complements to the scarce business resources if embraced as such. Framework of an Optimal BSA/AML Training Program Per the FFIEC BSA/AML Exam Manual, Banks must ensure that appropriate personnel are trained in applicable aspects of the BSA. 4 The manual shares a significant amount of invaluable detail associated with the training program requirements. An optimal BSA/AML training program comprises information appropriate to the requirements and population, and addresses who, what, when, where, why and how for each appropriate to the nature of the training. Depending upon the organization s scope of activities, it will generally be comprised of the following types/levels of training: Awareness = information required by total population Targeted = specific to lines of business as applicable Tailored = role or function specific and highly reflective of business process Awareness training, sometimes identified as enterprise training, is usually required of all employees, regardless of role, driven by risk-based regulatory and enterprise expectations with frequency generally aligned with these expectations. Targeted training is generally required of all employees within the particular product and oversight area of focus, based upon the business line s involvement in the oversight area. Tailored training is generally very specific to the particular role, and the root of this type of training may be the business processes and procedures currently in place. Rarely is awareness training the only level in place, as it presents a challenge to design content, which can comprehensively address all levels of training needs within the organization in a single approach. However, organizational policy and procedures are a great starting point at this level of training development, as these documents should reflect the minimum requirements necessary for all to know within the organization. While there may be an organizational view that this training is not required of everyone given respective roles, it is a good rule of thumb to design this training for everyone within the organization to demonstrate a level of awareness regardless of role. 4 FFIEC BSA/AML Exam Manual, BSA/AML Compliance Program Overview 2010, page 37 Page 6

8 While targeted training goes one step deeper, generally focused on particular lines of business,which perform activities relevant to the need to know areas of the BSA/AML risk environment, it can be readily built around awareness training, using specific cases or examples targeted at the business activities under discussion. Tailored training, generally process driven, can be readily built using existing business processes while tailoring the particular process steps to the expectations associated with BSA/AML and the relevant risk. It also lends itself well to a checklist framework, with the process and associated controls embedded within the checklist. This approach enables not only a readily available controls review, but it provides a strong framework for remedial training should there be a need given controls or audit reviews, which reveal unexpected outcomes needing refinement. Given the dynamic nature of the BSA/AML environment, and the necessity to maintain a current and relevant training program, audit reviews can provide a great resource to update and refine content in an efficient and effective manner. While it is hopeful that organizations will not have source materials driven from regulatory enforcement actions, with audit s outcomes providing sufficient guidance to preclude these events, when these do occur they can also fuel the refinement of training to minimize the risk of future such events. While each financial services organization may approach the design, delivery and management of its training program in a distinct manner, noted below for consideration are some tips gleaned from experience and guidance shared by compliance leaders across the sector, both large and small. While some version of these approaches may already be employed within the organization, when employed fully they may enhance the efficiency and effectiveness of the program s framework: Use or establish designated compliance subject matter experts to contribute the relevant subject matter to the training content, particularly for the awareness training; Partner the designated compliance subject matter experts with line of business specialists to guide the targeted and tailored training, using as a foundation the existing or newly refined business level processes and procedures and crafting the content around this documentation as appropriate; Use all available resources as content contributors and ongoing training resources, including industry-sponsored newsletters, webinars, conferences, as well as internal communications from business leadership and compliance; Establish either systematic controls or documented checklists which serve as an evaluative tool for the training effectiveness, prompting remediation training for the relevant personnel as needed should control breaks occur; Page 7

9 With the above-noted decentralization of content development, centralize and if possible systematize the administration of the deployment to make completion reporting readily available when needed; Ensure that completion reporting comprehensively reflects the total population, rather than simply those complete, to ensure that incompletions can be tracked as readily as completions; Include a general training section within policy, and a more specific training section within procedure, which can be readily referenced not only during control and audit reviews, but also referenced and followed by business as a clear training guide; and Formally review the training program on a regular basis, and document this review, to ensure that all particulars associated with the program are relevant based upon the current regulatory climate and the organization s internal and external review experiences. 5 Audit s Approach and Expectations for Training Program Review In accordance with the FFIEC BSA/AML Exam Manual, audit should determine whether the following elements are adequately addressed in the training program and materials: The importance the board of directors and senior management place on ongoing education, training and compliance. Employee accountability for ensuring BSA compliance. Comprehensiveness of training, considering specific risks of individual business lines. Training of personnel from all applicable areas of the bank. Frequency of training. Documentation of attendance records and training materials. Coverage of bank policies, procedures, processes, and new rules and regulation. Coverage of different forms of money laundering and terrorist financing as it relates to identification and examples of suspicious activity. Penalties for noncompliance with internal policies and regulatory requirements. 6 Audit s approach to an assessment of the BSA/AML training program is relatively clear, given the FFIEC s well-defined examination procedures highlighted above. While the requirement for an assessment is relatively objective, the assessment can become quite subjective based upon the individual(s) performing the assessment, as well as the evidence of training available and provided to audit. For example, senior leadership s culture of compliance may be well stated within business memoranda and evidenced through the 5 Guidance obtained from numerous financial services Compliance leaders by author in preparation of a comprehensive Compliance training program evaluation 6 FFIEC Manual, BSA/AML Compliance Program Overview , page 42 Page 8

10 presence of required training. However, training reports may reveal that business leaders are either the last to complete the requisite training or have not yet completed at the time the audit assessment is performed. An observation such as this could be particularly impactful given the current regulatory climate, which is increasingly focused on board and senior management accountability. As noted by the Comptroller of the Currency Thomas J. Curry, during his speech at the recent ACAMS Conference, when we look at the issues underlying BSA infractions, they can almost always be traced back to decisions and actions of the institution s board and senior management. 7 Additionally, receipt of requested documented training reports may be delayed as reports must be created specific to the requests rather than being readily available. As is common knowledge, subtle clues to the state of training such as this can be as detrimental to the review outcomes as the lack of appropriate content or inadequate personnel coverage. Audit s contribution to the training program design, delivery and deployment in an optimally efficient and effective manner begins well before the training program review itself. As audit is charged with reviewing the overall BSA/AML program and its components, the outcomes of these individual reviews can provide a treasure of guidance on organizational needs for BSA/AML training. Identification of organizational issues may indicate weakness in the guiding governance documentation, which generally provides the foundation for training content. Recognition that this documentation needs refinement is a good first step toward ensuring that training is an optimal control. Deficiencies in any area of BSA/AML can readily feed into the core governance documentation, which can then serve to feed training design, delivery and management. While enforcement actions may cite training as a deficiency, such as those instances noted on FinCEN s site regarding recent actions against Toronto Dominion, Saddle River and HSBC Banks, 8 in many instances a particular area of concern is noted with no reference to training. However, if either process or practice reflects inadequacies, the underlying governance documentation is likely a factor. If this documentation is used as a basis for training, which should be the case, then an enhancement to this documentation and the underlying training should remedy the situation and preclude future instances of such deficiencies being cited. In treating training as the first, last and best control, with audit s review of it as such, it is clearly possible to enhance not only the training program s efficiency and effectiveness but also to minimize the risk of regulatory infractions and valuable time spent on remediation. It is always helpful to keep in mind that the business is the driver to activity, with the 7 Remarks by Thomas J. Curry, Comptroller of the Currency, before the Association of Certified Anti-Money Laundering Specialists, Hollywood, Florida, March 17, 2014, OCC.gov, News Releases FinCEN Enforcement Actions Page 9

11 regulatory umbrella overlaid across all existing governance expectations and prompting refinements as needed. Audit is an invaluable resource to ensure that this situation remains intact and as robust as possible. It is virtually impossible for everyone to know everything there is to know about all aspects of any regulation, including BSA/AML. However, within the organization s compliance and controls infrastructure and audit, there reside specialized generalists who are responsible to be knowledgeable and current in their knowledge of all that is necessary to keep the organization within regulatory good standing. Auditors can be relied upon as in-house resident experts on the subject matter they review, despite their need to be objective in assessments. Thus, it is extremely useful to maintain a robust dialogue with these specialists, as they can provide not only lagging, but also leading indicators to the regulatory environment. As it is always in an auditor s best interest to identify any and all issues prior to any examiner review, this font of knowledge can be an invaluable resource in ensuring that the BSA/AML training program is satisfactorily robust in all areas to preclude the examiner s need to cite issues or force remedial action within the organization. Among the lines of defense or layers of opportunity, audit s role should not be overlooked, whether an in-house team or an external consulting organization. While the time required throughout the review to prepare and address any and all considerations seems overwhelming at times, the extra pair of eyes and ears made available and the invaluable knowledge capital readily shared cannot be understated. As Jeffrey Houde cites in his CAMS-Audit white paper entitled A Principles-based Approach for Auditing Board Reporting, to ensure an effective partnership with the client, it is helpful to proactively communicate changes in regulatory expectations and the impact to the client as it becomes known. This will allow the client to begin to comply with the new expectations prior to the audit, helping them to enhance their risk management practices and saving them from being cited unnecessarily in the audit report. 9 Rather than viewing the need for an audit review as a resource drain, it can be embraced as providing an additional invaluable resource with a finger on the pulse of current and prospective regulatory considerations to incorporate into governance and training documentation and practice. As someone who directly experienced the reluctance to embrace, yet concluded with the welcoming as a trusted resource, this author has seen how opportune these reviews can be to all parties involved in not only fostering efficiency and effectiveness but also in realizing true program quality. 9 A principles-based approach for auditing board reporting, Jeffrey Houde, CAMS-Audit Page 10

12 Business Process to Capture Audit s Review Comments and Incorporate into Training Program In all instances, the collaborative endeavor of compliance, audit and business can become more efficient and effective by giving consideration to continuous people, process and platform/technology enhancements to achieve overall continuous program enhancements. This can be accomplished by ensuring that a continuous cycle of focus is in place at all levels, reflected in three stages as follows: Assessment phase = reviewing what should be done, initiated by a gathering process and concluded with a discussion among all appropriate constituents; Improvement phase = referencing regulatory expectations, industry guidance and business needs to enhance existing program, achieved through an initial review and subsequent implementation process; and Maintenance phase = ensuring control environment is properly maintained or refined as needed, and comprised of an ongoing review and validation process to confirm the appropriate environment is in place. 10 At the most basic level, compliance can be defined as: Knowing what must be done; Doing what must be done; and Demonstrating that what must be done has been done, through documentation. Given the three lines of defense or layers of opportunity, which exist with the collaborative endeavors of business, compliance and audit, to achieve compliance in the most effective and efficient manner, it is useful to ensure that a dynamic continuum is in place. At its simplest, the collaborative process involves assessment, improvement and maintenance activities at each level. Business is charged with establishing processes to manage according to not only the organizational needs but also the regulatory climate. Ideally, a control environment is in place, which ensures that practices align with processes, regularly evidencing this situation with clear and concise documentation. Ideally, compliance provides continuous guidance in concert with legal as needed to ensure that the regulatory overlay within the business is timely and appropriate. Compliance may, in fact, perform its own control reviews to validate business conclusions. Finally, audit steps in to affirm or otherwise, ideally simply validating the prior conclusions. Each constituent is engaged in continuous enhancement activities as a part of the daily flow of responsibility. At each level, should there be a need for revision due to either anticipated or 10 Compliance, Whose Job is it Really, March 2012 presentation by author to regional Compliance association Page 11

13 unexpected considerations, the flow of process, control and review and associated documentation is naturally amended to reflect these considerations. To achieve a state of optimization with the BSA/AML training program, it is useful to ask these questions at every stage of the assessment, improvement and maintenance phases: What could our people have done differently? How could our process have been redefined to obviate the issue? What, if any, technology changes could be made to enhance the situation? In each of these instances involving people, process and technology, there are certainly training considerations. While training program considerations can be cited in audit and exam outcomes, basic deficiencies in people, process and/or technology have at their root the opportunity to be remedied through training. For example, if a software program evaluation performed by an external vendor cites a situation where a suspicious activity report (SAR) module is not being properly used, this could result in insufficient identification and/or reporting of unusual or suspicious activity. Training is likely at the root of this situation, or it can certainly be deemed a consideration. However, if the use of the module is not assessed, improved if needed (as in this case), and maintained through the ongoing evaluation and validation of use, the situation could ultimately result in an audit or examiner citing. Audit provides a wealth of knowledge capital with its review outcomes across the BSA/AML program, which can be used to ensure that the BSA/AML training program is truly best in class. While the training program review is also invaluable, it is essentially the culmination of the overall program reviews and will likely be more of a validation exercise. It is the ongoing assessment, improvement and maintenance across the program which is the key contributor to this best in class situation. No review can be overlooked, whether a business product review or the consideration of new technology to enhance an existing business process. In each instance, there are BSA/AML considerations which can be adopted within the training program to minimize the risk of future issues or deficiencies within the overall program. Throughout the assessment, improvement and enhancement stages, consideration to the impact on people, process and technology guide constituents to ensure that all aspects associated with training are captured. In each instance, the who, what, when, where, why and how can be asked and addressed to ensure that no stone is left unturned when it comes to communicating expectations and embedding those expectations within training programs. Audit as the continuous final layer of defense or level of opportunity can be invaluable in this endeavor, as auditors truly are an expert partner and resource. Page 12

14 Conclusion The BSA/AML training program is not only the end game, but also the resource, which demonstrates that BSA/AML compliance is good business and everyone s business. An efficient and effective training program, which is continuously assessed, improved and maintained, can serve as an optimal control tool for the organization. Business, compliance and audit each have an invaluable role to play in this pursuit. Through their collective contributions, the BSA/AML training program can readily evidence a culture of compliance embraced by the entire organization. Page 13