Practical Suggestions/Tips for an Effective BSA/AML Compliance Function

Transcription

1 Practical Suggestions/Tips for an Effective BSA/AML Compliance Function Governance and Structure; Policies, Procedures and Internal Controls; Training; and Testing Peter C. Fitzgerald Principal May 20, 2010

2 Governance and Structure Establish clear roles and responsibilities, reporting lines and job functions Establish committees, develop charters, maintain formal minutes Need to consider BSA/AML activities that are outsourced Provide the AML Officer with direct access to the Board and/or Senior Management Establish periodic reporting by the AML Officer (e.g., metrics, risk trends, new/proposed regulations, results of compliance testing and audits, etc.) Business is responsible for complying with BSA/AML requirements/expectations; compliance provides advice and guidance Develop strong working relationships between compliance and the business Appoint, depending on the size of the institution, business unit AML Liaisons to serve as conduit between the business/compliance

3 Policies, Procedures & Internal Controls Having policies, procedures and controls in place is not a guarantee of compliance but not having them guarantees non-compliance Communicate/Reinforce policies, procedures and controls through on-going guidance, training, memos, s and other internal outreach Consider developing a regulatory requirements matrix Consider annual attestation I have read, understand and will comply with. Establish policies and procedures as living documents Need to reflect actual practices/activities and be updated in a timely manner when changes in activities, processes, systems, regulatory requirements, etc. occur Maintain version control Update and approve annually Material changes should be approved and communicated to affected employees

4 Training Conduct a training needs assessment Who should receive training Why certain employees/functions should receive additional training What AML issues/topics the training should cover Frequency of training How AML training may be delivered Consider developing an AML Training Program Matrix Establish Levels of Training Level 1 -Mandatory Annual General AML Awareness Training Level 2 -Required Supplemental Training (AML Critical Staff, Board/Senior Management) Level 3 On-the-Job Procedural AML Training (New hires and existing employees transferred into HR areas) Level 4 -External Supplemental Education (AML Compliance Staff) Formalize a training schedule and develop curriculum accordingly Based on the AML training schedule and curriculum, senior management should continue to align resources to address AML training needs Document and address any and all exceptions to training

5 Testing Continued reliance by regulators on financial institution s own monitoring and senior management assertions: 1) Business unit self-assessment 2) Compliance testing 3) Internal audit Those performing testing must have the requisite qualifications, training and experience Use your bank s risk assessment to focus the testing scope on areas of greatest concern Testing of automated systems Comprehensiveness/accuracy of data Adequacy of thresholds, rules and parameters Outputs The audit program, audit report and supporting work papers and other documentation should be maintained, detailed, easy to follow and accessible by the examiners LOBs need to be responsive to audit requests and provide audit with full access to information and staff

6 Testing (cont d) Transaction testing should be performed and documented Distribution of reports should be comprehensive and timely Audit ratings need to be consistent with the observations and recommendations Exceptions noted should be tracked and tested in subsequent audits Incorporate recommendations, as appropriate, into the AML Program Bank s may delegate (outsource) testing activities but must maintain responsibility A service level agreement or similar document should be in place that delineates the activities that have been delegated 6

7 Thank You Peter C. Fitzgerald, Principal (212) Deloitte Financial Advisory Services LLP Two World Financial Center New York, NY About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. This presentation contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this publication. 7