Financial Services. Testing anxiety Bank Secrecy Act/Anti-money laundering independent testing survey

Transcription

1 Financial Services Testing anxiety Bank Secrecy Act/Anti-money laundering independent testing survey

2 Contents Executive summary 1 Introduction 2 Organizational structure and resources 3 Use of third-party service providers 5 Testing expertise 7 Testing scope 9 Challenges 11 Regulatory review 14 Authors 16

3 Executive summary Although the independent testing of Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) programs has been required by the USA PATRIOT Act (PATRIOT Act) since its inception, 51 percent of financial industry respondents surveyed were not very confident that their independent testing would identify any significant weaknesses that exist in their programs before they come to the attention of the regulators. This concern is more than hypothetical 36 percent of respondents said that the regulators had cited matters requiring attention in their institutions independent testing program during the last three years. This is one of the key findings that emerged from a survey of more than 150 financial industry respondents by Deloitte & Touche LLP and Deloitte Financial Advisory Services LLP (collectively, Deloitte throughout this document) on BSA/AML independent testing. 1 Why are respondents not more confident in the effectiveness of their independent testing programs, and why have the regulators often identified matters requiring attention in many programs notwithstanding ongoing independent testing? Three principal reasons emerged from the survey: Need for additional expertise. Fifty-eight percent of the respondents said their institutions did not have a dedicated, specialized BSA/AML testing team, while 36 percent reported that they did not employ either internal or external AML subject matter specialists to provide additional expertise. In Deloitte s experience, compliance officers indicate that using internal or external professionals with the requisite knowledge and experience to perform the testing provides for a more comprehensive testing process, which in turn enhances the overall effectiveness of BSA/AML programs. In addition, in Deloitte s view, the use of AML subject matter specialists tends to increase the likelihood that internal testing will identify potential weaknesses or deficiencies in a timelier manner, enabling institutions to address deficiencies more quickly. Inadequate budget and hours. Securing adequate resources and budget committed to independent testing was cited by roughly 75 percent of respondents as one of their top challenges, including one third who named it as their number one challenge. In addition, only about 1 In this report, independent testing refers to BSA/AML independent testing. 25 percent of respondents expected the hours allocated to independent testing to increase over the next year; the remaining three quarters thought they would remain the same or even decrease. In Deloitte s view, not committing sufficient resources and budget or employing inexperienced personnel to conduct testing activities can create additional risk. Indeed, inadequately trained and/or too few trained personnel have been cited as a deficiency in numerous regulatory enforcement orders. Desire for additional regulatory guidance. Roughly three quarters of respondents said a lack of clarity in regulatory requirements was one of the top challenges they faced. More than 80 percent of respondents wanted additional guidance from the regulators, with those from institutions with less than $25B in assets most likely to feel that much more regulatory guidance was needed. This finding is not unexpected given the complexity of testing, especially of AML Information Technology (IT) systems. Yet, the more prescriptive guidance that many respondents appear to be seeking will likely not be forthcoming, since the regulators have already issued significant guidance and the current regulatory regime places an emphasis on the ability of each financial institution to assess and identify the risks associated with their business. The survey results indicate that a number of institutions appear to have implemented, and continue to maintain, effective BSA/AML independent testing programs supported by an appropriate level of people, processes, and systems. However, based on the responses a significant number of institutions appear to lack the expertise, experience, resources, and senior management support needed to meet regulatory requirements and expectations and to conform to prevailing industry practices. Given the potential ramifications and negative impact associated with a BSA/AML regulatory enforcement action or with the identification of significant deficiencies during the annual examination process, it is important that financial institutions implement effective and efficient independent testing programs to assess and support their overall BSA/AML program. Indeed, industry-leading practice indicates that establishing an independent testing program designed to identify and address weaknesses in BSA/AML programs before they come to the attention of the regulators can assist financial institutions in managing their reputational risk and regulatory standing. Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 1

4 Introduction The current financial crisis may have attracted the attention of financial institution regulators, but that should not lead firms to downplay the critical nature of BSA/AML compliance. It may no longer be the lead story, but it remains a stated priority of the financial institutions regulators, and significant enforcement actions continue to be issued. Additionally, it remains the case that reputational damage ensues when an institution is found to have any role in events that are the subject of a money-laundering enforcement action or related criminal prosecution. Banks and regulators are thus stakeholders in the integrity of the independent testing requirement under Section 352 of the PATRIOT Act, and it continues to be one of the core components of an effective BSA/AML program as well as a focal point in all regulatory examinations. Deloitte surveyed 153 respondents in financial institutions to determine how they were managing the challenges imposed by the independent testing requirements. Respondents were asked about the approaches their institutions were taking on a wide array of issues to provide insight into how financial institutions develop, assess, improve, and sustain their BSA/AML independent testing programs. Deloitte s survey focused specifically on the independent testing of an institution s BSA/AML program as required under Section 352 of the PATRIOT Act, as opposed to other testing of the program that may be conducted periodically, but that is not considered to be independent, such as self-assessments and compliance testing. The survey examined the following aspects of independent BSA/AML testing: Organizational structure and resources Use of third-party service providers Testing expertise Testing scope Challenges Regulatory review The survey findings in each of these areas are discussed in the following sections. 2

5 Organizational structure and resources The primary responsibility for independent testing resided with the chief audit executive at 59 percent of the institutions participating in the survey, while 13 percent of respondents named the AML compliance officer, 10 percent the chief compliance officer, and smaller percentages named other respondents, including the general counsel, the chief financial officer, and chief risk officer. (See Exhibit 1.) U.S. regulations do not specify who should conduct independent BSA/AML testing. Instead, the regulations and guidance anticipate that the independent testing may be conducted by the Internal Audit function, outside auditors, consultants, or other qualified independent parties. To avoid the appearance of or any actual conflict of interest, the tester may not be the compliance officer or otherwise involved in administering the program. Depending on reporting line(s), there also could be the potential for a conflict of interest, either actual or apparent, if the chief compliance officer, general counsel, or chief risk officer were to oversee both the compliance and the independent testing programs. Based on the survey results, many institutions are evaluating or plan to evaluate who is responsible for independent testing within their organization to avoid such conflicts. Among those institutions surveyed that conducted testing in-house, 83 percent said independent testing was conducted by the Internal Audit function, while 11 percent named the Compliance department. For this latter group, if Compliance conducts the testing, it would likely not meet the independent testing requirements of the PATRIOT Act, unless the individual or group conducting the testing is not also involved in administering the compliance program and reports to an independent party. Testing schedule The most common schedule, cited by 84 percent of the respondents, was for independent testing to be conducted annually, with 11 percent conducting it more often and 5 percent conducting it less often. The frequency of testing is not specifically defined by statute or regulation for banks, mutual funds, and insurance companies, although the prevailing industry practice is to conduct testing at least annually. Broker-dealers, on the other hand, are required by regulation to conduct annual (i.e., on a calendar-year basis) independent testing. Sixty-two percent of the respondents said their institution conducted independent testing of all lines of business at the same time, while the remainder said they tested on a rotating basis. Not surprisingly, given their greater complexity, larger institutions were more likely to test on a rotating basis. Only 49 percent of respondents from institutions with more than $25B in assets said they tested all their lines of business at once, compared to 76 percent of those from smaller institutions. Conducting testing using a horizontal (i.e., all-at-the-same-time) approach, which is used by regulators when assessing an institution, allows an organization to view the entire AML program across business lines and identify overall inconsistencies and areas for improvement. In many cases, these reviews are supplemented by deeper vertical dives into business lines and support areas that present a heightened risk for money laundering or that have had previously identified weaknesses. Resource commitment Independent testing requires a substantial commitment of resources, especially for larger institutions. Among institutions with $25B or more in assets, 51 percent of respondents reported that 1,000 hours or more were expended on independent testing. Among smaller institutions, 71 percent of respondents said less than 500 hours were required. In light of the significant number of hours required to perform independent testing, it is interesting that only 49 percent of institutions with $25B or more in assets and 33 percent of smaller institutions did not use dedicated testing teams. In addition, 75 percent of institutions with $25B or more in assets employed internal or external AML subject matter specialists, while 55 percent of the smaller institutions did so. The fact that many institutions lacked dedicated testing teams and do not use independent AML subject matter specialists may explain, at least partially, why more than half of the respondents were not very confident that their institution s independent testing would identify material problems. Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 3

6 Despite these findings, relatively few institutions reported they would increase the number of hours allocated, consider using dedicated testing teams, or contemplate using subject matter specialists. For example, only 31 percent reported more than a 5 percent increase in the number of hours allocated to independent testing in the current fiscal year compared to last year, while just 24 percent expected there would more than a 5 percent increase next year. (See Exhibit 2.) This reluctance to commit more hours to independent testing was also reflected in the finding that securing adequate budget and resources was cited as one of the greatest challenges in planning and executing independent testing. (See Exhibit 15.) The lack of adequate funding and resources creates a difficult operating environment at a time when regulatory requirements and expectations are increasing, as are the expectations of boards of directors. In many institutions, it appears that senior management is relying upon Compliance and Internal Audit to do more without providing additional resources. Exhibit 1 Individual with primary responsibility for independent BSA/AML testing function Chief Audit Executive AML Compliance Officer Chief Compliance Officer General Counsel CFO CRO Other 5% 3% 2% 13% 10% 9% Exhibit 2 Change in hours allocated to independent BSA/AML testing 59% 1% Since last fiscal year 6% 62% 23% 8% Expected change in next fiscal year 3% 10% 64% 15% 9% Decrease by 15% + Decrease by 5% 15% Little or no change Increase by 5% 15% Increase by 15% + 4

7 Use of third-party service providers Independent testing was performed by in-house personnel at most institutions. Seventy-three percent of respondents said internal employees conducted independent testing, while only 18 percent said testing was outsourced to a third-party service provider, and 9 percent said it was conducted jointly by internal employees and a third party. 2 Smaller institutions were more likely than larger institutions to outsource. Among respondents at institutions with less than $25B in assets, 28 percent said independent testing was outsourced, compared to just 6 percent among those at larger institutions. In general, large institutions have more internal resources to perform the basic program testing. In Deloitte s experience, third-party service providers more often are employed to perform specific testing activities, such as testing of transaction monitoring systems, OFAC filters, and risk-rating matrices. Smaller institutions more often need to supplement existing resources or completely outsource testing activities because they may not have sufficient personnel with the necessary expertise. Deloitte has found that institutions tend to engage third-party service providers to benefit from their expertise in specific areas, as well as from the breadth of their experience. Service providers with the requisite qualifications often can offer greater insights into how the institution s processes compare to those of other firms and to best practices across the industry. Some institutions bring the independent testing function in-house, either in whole or in part, after in-house professionals have gained the requisite experience and skills from working with the service provider. Independent testing services provided Among the institutions that employed a third-party service provider to conduct some or all of their independent testing programs, roughly 90 percent said their vendors handled reporting and execution of the testing plan, while approximately 80 percent said they conducted analysis and developed the testing plan. Despite the fact that third-party service providers are engaged for their expertise, few respondents said their institutions employed them to formulate remediation plans or to follow up and remediate the problems they identified. Forty-three percent of respondents, however, said their institutions employed the third-party service provider to formulate remediation plans or to follow up and remediate the problems they identified, with the remainder apparently performing this activity in-house. (See Exhibit 3.) In Deloitte s experience some institutions are slow to take remedial action to address BSA/AML issues that have been identified, while others seem to implement quick fixes. Fully addressing all the problems identified in independent testing (or any other testing, for that matter) is a regulatory expectation and a prime indicator to regulators of the integrity of the testing. It also indicates how seriously the institution takes its anti-money laundering program obligations. Exhibit 3 BSA/AML testing services provided by third-party service provider Base= Respondents at institutions employing a third-party service provider Reporting 93% 2 These percentages total to more than 100 due to rounding. Execution of testing plan Analysis 83% 90% Development of testing plan 80% Follow-up analysis 43% Formulation of remediation action plan 20% Other 5% Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 5

8 Most respondents were satisfied with their third-party service providers for independent testing, with 63 percent saying they were extremely or very satisfied. When it came to specific issues, roughly three quarters of respondents were extremely or very satisfied with their service providers in interacting with company personnel and in their level of knowledge, while roughly two thirds were satisfied with the quality of testing, the appreciation of the materiality of different findings, their expertise, and their responsiveness. Not surprisingly, the least satisfaction related to cost, where less than half those surveyed said they were extremely or very satisfied. (See Exhibit 4.) Exhibit 4 Satisfaction with third-party service provider conducting independent BSA/AML testing Base= Respondents at institutions employing a third-party service provider Overall Interface with company personnel Knowledgeable testers Quality of testing Appreciation of materiality of different findings Expertise 8% 55% 18% 20% 15% 21% 23% 51% 58% 55% 49% 40% = 65% = 66% = 63% = 70% = 76% = 75% Timeline/responsiveness 16% 45% = 61% Cost 10% 33% = 43% Extremely satisfied Very satisfied 6

9 Testing expertise To effectively test the AML program, those performing the testing need the requisite expertise and training. Overall, regulatory expectations are increasing, and regulators are placing increased reliance upon a financial institution s own testing, assessment, and self-disclosure process. Despite this, most institutions had not created a dedicated or specialized testing team to perform independent BSA/AML testing. (See Exhibit 5.) Fifty-eight percent of respondents said their institutions did not have such a dedicated team, although some are considering creating one. Even among larger institutions those with $25B or more in assets roughly half lacked a dedicated testing team. This raises the question of whether the professionals conducting independent testing have sufficient knowledge, training, and experience to successfully conduct the testing. AML subject matter specialists provide an alternative or supplemental approach to using dedicated testing teams. (See Exhibit 6.) While roughly two thirds of respondents reported that their institutions employed either internal or external AML subject matter specialists, 36 percent of respondents said they did not use them to assist with independent testing. Smaller institutions were less likely to use subject matter specialists 45 percent of the respondents from institutions with less than $25B in assets said they did not employ them. Further, 85 percent of the respondents from institutions that did not use AML subject matter specialists said it was not likely they would begin to do so over the next 12 months. Exhibit 5 Does your institution have a dedicated or specialized independent BSA/AML testing team? Base= Institutions where in-house function performs testing Total $25B + Less than $25B 33% Exhibit 7 Areas in which internal AML specialists are used Base= Respondents at institutions using internal AML specialists Risk assessment Audit planning 42% 8% 50% 49% 3% Exhibit 6 Does your organization use AML subject matter specialists? Total $25B + Less than $25B 39% 13% 64% 38% Yes No, but considering one No, and no plans 48% 7% 10% 36% 57% 8% 9% 6% 12% 45% 25% Internal External Both No 75% 82% In fact, 23 percent of the respondents surveyed reported that their institution had neither a dedicated independent testing team nor used subject matter specialists. These institutions may lack the expertise in independent BSA/AML testing that is required for a program to be considered effective. Development of testing scope Analysis of findings Execution of testing Testing of monitoring systems Formulation of remediation plan 72% 71% 68% 68% 68% Among the respondents at institutions that employed internal subject matter specialists, roughly three quarters said these specialists assisted with creating and maintaining a risk assessment, audit planning, developing testing scope, and analyzing testing findings. (See Exhibit 7.) There was less consistency in how external subject matter specialists were used with testing of monitoring systems, audit planning, execution of testing, and analysis of testing findings cited most often. (See Exhibit 8.) Reporting Other 5% 52% Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 7

10 Training Specialized training was widespread 82 percent of the institutions that employed internal employees to conduct independent testing provided them with BSA/AML training. Forty-eight percent of the institutions surveyed that provided training did so annually, while 35 percent provided it two to three times each year. Exhibit 8 Areas in which external AML specialists are used Base= Respondents at institutions using external AML specialists Testing of monitoring systems Audit planning Execution of testing 52% 52% 60% Fully 95 percent of the institutions that provided specialized training had their training address specific AML regulations, and 84 percent trained their professionals on identifying red flags and risk factors. (See Exhibit 9.) However, far fewer institutions included other important AML topics. For example, only 55 percent said their training included auditing techniques or how to determine testing coverage, and only about one third said it covered how to construct the testing scope. Analysis of findings Development of testing scope Risk assessment Formulation of remediation plan Reporting Other 4% 48% 40% 36% 36% 32% Exhibit 9 Topics on which specialized BSA/AML training is provided Base= Respondents at institutions that provide specialized training Specific AML regulations 95% Red flags and risk factors 84% AML methodologies 66% Auditing techniques Determining testing coverage 55% 55% Constructing scope 39% IT applications 33% 8

11 Testing scope There was broad consensus on the scope of independent testing for most issues. (See Exhibit 10.) For example, 95 percent or more of respondents said their testing scope included compliance with AML policies, procedures, and controls as well as customer identification program/due diligence. Similarly, many other issues were included in the testing scope at 80 percent or more of the institutions participating in the survey. In particular, compliance with Office of Foreign Assets Control (OFAC) regulations, i.e., screening, reporting, and tracking, was included in the scope of independent testing at more than 85 percent of the institutions surveyed, which indicates that most institutions now view testing of OFAC compliance as part of BSA/AML testing. Yet, some issues were not included in the testing scope at many institutions. For example, roughly one quarter of the institutions did not include the governance of the program in their scope, while almost 40 percent did not include the adequacy of their OFAC risk assessment. (See Exhibit 10.) Although testing of applications for OFAC screening and for transaction monitoring were included in the scope at more than 80 percent of institutions, only about half of the respondents said that proprietary AML applications or Fedwire were included in testing, while only 38 percent said testing covered data interfaces. (See Exhibit 11.) While testing of IT applications, interfaces, and related activities is becoming a focal point of the regulators, institutions independent testing coverage of these areas is less than comprehensive. Risk-based testing Risk assessments are one approach to help determine the testing scope. Approximately three quarters of the respondents said their institutions used risk assessments in this way. Among these respondents, 54 percent said the risk assessments were developed by Internal Audit, while 39 percent said they were developed by Compliance. Our experience shows that if Compliance develops the risk assessment, to ensure independence, most institutions will have an independent party, such as Internal Audit, assess and make a final determination regarding testing scope. In these instances, Internal Audit will take the compliance risk assessment into account, but use its own risk-based process in determining what to test. Twenty-six percent of institutions relied completely on the more traditional approach of focusing on the design and effectiveness of BSA/AML controls. In Deloitte s experience, some institutions start by first examining the overall design and effectiveness of controls, looking equally at all areas. Over time, they move to a more risk-based approach in which more resources are devoted to higher-risk customers and lines of business, while lower-risk areas are tested less often or less intensively. Given its potential advantages in increased efficiency and effectiveness, together with guidance provided by the regulators, more institutions are likely to migrate to a risk based approach. However, a riskbased approach presupposes that highly knowledgeable professionals are deciding what deserves more (and less) attention. Exhibit 10 Areas addressed in independent BSA/AML testing AML policies and procedures 97% Customer identification/due diligence 95% Compliance with policies, procedures, and processes 95% Suspicious activity investigation and reporting 94% Adequacy of internal controls 91% Suspicious Activity Report (SAR) reporting and tracking 88% Risk assessment 87% Transaction testing 86% OFAC reporting and tracking 86% Record keeping and retention 86% Bank Secrecy Act reporting 84% Information sharing 80% AML system testing 75% Corporate governance of program 74% Monetary instruments record keeping 71% Adequacy of OFAC risk assessment 61% Special measures 60% Correspondent banking 59% Private banking 49% Other 8% Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 9

12 Review of scope It is important for the testing scope and methodology to be reassessed on a regular basis. Seventy-four percent of the respondents said this reassessment occurred annually, while the remaining respondents said it occurred less often. Sixty-nine percent of respondents said this reassessment was conducted by the chief audit executive, while 49 percent said the testing scope and methodology were reviewed by the AML compliance officer and 21 percent named the chief compliance officer. 3 While the AML compliance officer and chief compliance officer can be involved in reassessing the testing scope and methodology, it is Deloitte s recommendation that an independent party, such as Internal Audit, should review and approve any changes to the testing scope and methodology. Regulators typically expect the testing scope and methodology to be reassessed at least annually. Exhibit 11 IT applications included in independent BSA/AML testing OFAC screening Transaction monitoring Proprietary AML applications Fedwire Data interfaces SWIFT Data warehouse Check 21 solution 13% Other 4% 28% 32% 38% 55% 52% 84% 90% Change in scope Although most institutions reviewed their scope annually, relatively few institutions expected their scope of independent testing to increase. When asked how the scope of independent testing in the current year compared to that in the last fiscal year, 41 percent of respondents said it had increased, while only 8 percent reported a decrease. (See Exhibit 12.) However, only 29 percent of respondents expected further scope increases in the next fiscal year. Given that securing adequate budget and resources was cited by respondents as one of their greatest challenges in planning and executing independent testing, the fact that increases in the testing scope were not expected by approximately 75 percent of respondents during the next fiscal year is not surprising. Given the lack of confidence of respondents in their independent testing programs, coupled with increased regulatory expectations and inadequate budget and resources, institutions should consider devoting more attention and resources on areas of heightened risk or where programs are considered. 3 These percentages total to more than 100 percent since respondents could name more than one individual. Exhibit 12 Change in scope of independent BSA/AML testing Compared to last year 41% 51% 8% Expected change in next year 29% Automated work papers Establishing a formal process to manage and maintain testing work papers should also be considered. Fifty-two percent of the respondents surveyed reported that their institutions had an automated work papers system, including 65 percent of respondents at institutions with $25B or more in assets and 40 percent of those at smaller institutions. While many institutions maintain manual BSA/AML independent testing work papers, employing an automated work papers system is fast becoming a prevailing industry practice and will likely become a regulatory expectation. An automated work papers system can allow for more timely and accurate reports to be generated for senior management and the board of directors. 64% Increase No change Decrease 7% 10

13 Challenges Independent BSA/AML testing poses an ongoing challenge for many institutions. Almost half of the respondents were no more than somewhat confident that their institution s independent testing program would identify any material problems that exist. (See Exhibit 13.) The survey asked about the specific issues that pose challenges in managing an independent BSA/AML testing program, as well as about the most difficult issues revealed by independent testing. Challenges in planning and executing independent testing Respondents cited a number of issues that presented important challenges for planning and executing their independent testing programs. (See Exhibit 14.) Leading the list was the perception that regulations were unclear, which roughly three quarters of respondents considered to be one of their top three challenges and 26 percent identified as their number one challenge. This finding was consistent with the finding that more than 80 percent of respondents felt that more guidance was needed from regulators on independent testing requirements. (See Regulatory Review below.) While this response was not unexpected, it may be that the regulators believe they have provided sufficient guidance related to testing activities, including the issuance in 2005 of the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (as well as its periodic updates), the issuance of the Securities and Exchange Commission source tool kits for broker-dealers and mutual funds, and the significant amount of general and specific BSA/AML guidance issued by FinCEN through FAQs. If this remains the position of the regulators, financial institutions will continue to bear the primary burden of assessing and determining their organization s risks without more explicit guidance. They will need to consider developing appropriate testing plans and programs that can identify appropriate actions to mitigate these risks and conduct follow-up to ensure appropriate corrective actions have been taken. Another key concern was securing adequate testing budget/resources. This was ranked as the greatest challenge by almost one third of the respondents and as one of the top three issues by roughly three quarters. However, there was little indication that it will become easier to secure adequate resources for independent testing in the future. More than three quarters of the respondents surveyed expected the number of hours allocated to independent testing at their institution would either remain the same or decrease in the next fiscal year; only about one quarter anticipated an increase. (See Exhibit 2.) It was notable that almost half of the respondents cited difficulties in securing support of the areas being tested as one of their top three challenges. (See Exhibit 14.) Should business units be responsible for complying with BSA/AML, as well as other applicable regulations, and serve as the first line of defense in combating money laundering/terrorist financing? If so, business unit leaders are responsible for complying with applicable laws and regulations and for operating in line with regulatory expectations. For this reason, appropriate incentives should be considered to secure the cooperation of business unit leaders with the independent testing function. For example, annual performance reviews could take into account the extent to which business unit leaders and the entire business units they are responsible for have supported and complied with BSA/AML regulatory requirements and the institution s BSA/AML policies, procedures, and controls. In contrast, Compliance (which oversees the BSA/AML program and provides guidance, support, and supervision to the business units) and the independent testing function (which is responsible for examining and evaluating the adequacy and effectiveness of the internal control systems) are properly measured by the quality and comprehensiveness of their work. Inadequate subject matter expertise was cited by 47 percent of respondents as a significant challenge. This may be due to the fact that 23 percent of the respondents said that their institutions had neither a dedicated independent testing team nor used either internal or external subject matter specialists. These challenges may expose financial institutions to greater risk that program deficiencies will go undiscovered, leaving it to the regulatory examination process to reveal programmatic failures. For institutions with operations outside the United States, coordination of independent testing is another concern. Among respondents at global institutions, only 32 percent said their independent testing was extremely or very coordinated across their operations around the world. While coordination both on a national and international Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 11

14 basis is improving, financial institutions in general do not appear to have effectively dealt with this issue. This will likely remain a challenge in the coming years. Exhibit 13 Confidence that independent BSA/AML testing will identify any material problems that exist Issues revealed by independent testing A second set of challenges is remediating the problems identified by BSA/AML independent testing. Transaction monitoring was cited most often as presenting the greatest challenges by 20 percent of respondents as the number one challenge and by 43 percent as one of the top three challenges. (See Exhibit 15.) IT data quality was also identified as a top challenge by 10 percent of respondents as the number one challenge and by 25 percent as one of the top three challenges. AML systems testing was common among larger institutions, with 82 percent of the respondents at institutions with $25B or more in assets reporting that they test their AML systems, compared to 68 percent of those from smaller institutions. Somewhat confident, 46% Not too confident, 3% Very confident, 51% Many institutions have gone through the process of evaluating, selecting, purchasing, installing, and implementing automated BSA/AML monitoring and/or OFAC systems. These are major events, which have been encouraged by financial institution regulators. Thus, the effectiveness of transaction monitoring and OFAC systems, as well as data quality, is fast becoming key AML focus areas of the regulators. The FFIEC BSA/AML Examination Manual states that the regulators will assess the overall process for identifying and reporting suspicious activity and OFAC hits, as well as the integrity and accuracy of management information systems used in the BSA/AML compliance program. The inability or failure of a financial institution to conduct meaningful testing of transaction monitoring systems and related activities, could trigger a regulatory action. Exhibit 14 Challenges in planning and executing independent BSA/ AML testing Unclear regulations Securing adequate budget/resources Securing support of areas being tested Inadequate subject matter expertise Inadequate scope 7% 14% 18% 26% 32% 18% 16% 14% 19% 28% 19% 15% 21% = 49% = 47% = 44% 20% 19% = 74% = 72% No. 1 Challenge No. 2 Challenge No. 3 Challenge 12

15 Many institutions employed internal or external subject matter experts to assist in the testing of monitoring systems, which suggests they may recognize a lack of expertise in this area. In fact, 60 percent of the institutions that employed external AML specialists used them to test monitoring systems. This likely reflects the involved technical, statistical, and other expertise required to design and carry out this kind of testing. Given the high rating that respondents placed on such IT-dependent activities as conducting risk assessments, complying with Know Your Customer (KYC) and Enhanced Due Diligence (EDD), and KYC/EDD documentation, the importance of this finding cannot be overstated. Indeed, it becomes even more valuable when considering that the areas where the regulators have issued the most enforcement actions include OFAC compliance, transaction monitoring, and SAR reporting all of which are heavily dependent on robust technology. Exhibit 15 Top challenges revealed by independent BSA/AML testing Transaction monitoring Conducting risk assessments Complying with KYC and EDD regulations KYC/EDD documentation IT (data quality) Creating and maintaining CIPs AML compliance policies and procedures Effective AML training Management reporting AML department procedures Investigations and documentation 2% 4% 3% 4% 8% 8% 9% 7% 10% 6% 2% 3% 3% 4% 5% 5% 20% 6% 7% 8% 8% 7% 4% 14% 13% 8% = 10% 8% 10% = 16% = 16%* = 13% = 13% 7% 5% 14% 8% = 20% = 26% = 25%* = 25% = 31%* 9% = 43% OFAC screening 5% 3% 2% = 10% No. 1 Challenge No. 2 Challenge No. 3 Challenge *Percentages do not total due to rounding. Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 13

16 Regulatory review The effectiveness of independent BSA/AML testing remains one of the most important issues for regulators over the last several years, and a significant portion of the institutions participating in the survey had been cited by regulators for deficiencies in this area. Thirty-six percent of the respondents surveyed said that a regulatory examination within the last three years had identified matters requiring attention with respect to independent testing. Among these respondents, 27 percent said their institution had also been the subject of a regulatory enforcement action within the last three years that cited deficiencies in independent testing. Among institutions that had been cited by the regulators, the most common problems concerned the quality of testing (31 percent), the scope of testing (26 percent), and inadequate follow-up on the testing results (24 percent). Institutions should consider developing an assessment and testing processes to identify and address these issues before they are uncovered and cited by the regulators. However, given the lack of confidence that many respondents had in their overall independent testing programs and their concern about the expertise of their testing teams, coupled with the difficulties in securing adequate budget and resources, it would appear from the survey results that many institutions may not be taking sufficient action to meet the expectations of their regulators. Desire for more regulatory guidance Many respondents felt the need for more guidance from the regulators related to independent testing. Forty-one percent of the respondents surveyed felt much more regulatory guidance was needed, while an additional 41 percent believed some additional guidance was needed. (See Exhibit 16.) Among smaller institutions those with less than $25B in assets 48 percent of respondents felt that much more guidance was needed from the regulators, but even among respondents from larger institutions, 35 percent desired much more guidance. Where do respondents feel the need for additional guidance? Among those wanting more guidance, roughly half cited the need for more guidance on AML risk assessment, the appropriate level of testing and sample sizes, and the design and testing of the transaction monitoring system. (See Exhibit 17.) The greatest challenges that respondents said had been revealed by independent testing transaction monitoring and conducting risk assessments were also areas where respondents felt the need for more guidance from regulators. (See Exhibit 15.) 14 Although the desire for additional guidance is understandable, regulators may believe that they have already provided a substantial amount of guidance. They may also feel that, in a risk-based environment, more specific guidance might handcuff the institution from tailoring its independent testing program to the institution s particular business model and risk profile. Institutions should consider not delaying action in the expectation that more explicit guidance will be forthcoming. Exhibit 16 Need for additional guidance from regulators on requirements for independent BSA/AML testing Exhibit 17 Areas where regulators should provide more guidance on independent BSA/AML testing Base=Respondents who responded that more guidance is needed Risk assessment Appropriate level of testing and sample size Design of transaction monitoring program Testing of transaction monitoring system(s) OFAC risk assessment 37% Scope setting Level of expertise expected Level of effort expected Role of the board and senior management Other 4% 18% 29% 37% 35% 54% 51% 48% 46%

17 About the survey Deloitte LLP conducted an online survey of 153 financial services respondents about their BSA/ AML independent testing programs. The survey was conducted from January 29 to March 16, The respondents who participated in the survey were from areas with AML responsibilities, including 50 percent from Compliance, 25 percent from Audit, 11 percent chief audit respondents, and the remainder from a variety of other areas. Three quarters of the respondents surveyed were from institutions headquartered in the United States, while the remaining respondents were from institutions headquartered in Canada (8 percent), Japan (4 percent), France (3 percent), the United Kingdom (3 percent), Germany (2 percent), and other countries (6 percent). Regarding asset size, 18 percent of the respondents surveyed came from institutions with less than $1B in assets, 37 percent from institutions with $1B to $25B in assets, 18 percent from institutions with $25B to $100B in assets, and 28 percent from institutions with $100B or more in assets. (See Exhibit 18.) Roughly two thirds of the respondents were from institutions providing banking services and/or securities services, while roughly one half were from institutions offering asset management and one third from institutions providing insurance. (See Exhibit 19.) (Note: Many respondents were from institutions involved in more than one type of financial services business activity.) Exhibit 18 Total assets Percent of respondents from institutions of each asset size 18% 24% 13% Less than $1B $1 $10B $10 $25B $25 $100B $100B + Exhibit 19 Business activities Banking Securities Asset management Insurance Other 6% 33% 18% 46% 28% 59% 65% Note: Percentages do not total to 100% because respondents could make multiple selections. Bank Secrecy Act/Anti-Money Laundering Independent Testing Survey 15

18 Authors Robert Antoine Partner Deloitte & Touche LLP Peter Fitzgerald Principal Deloitte Financial Advisory Services LLP John Graetz Principal Deloitte & Touche LLP Paul Lindow Partner Deloitte & Touche LLP Michael Zeldin Principal Deloitte Financial Advisory Services LLP Industry Leadership Jim Reichbach Vice Chairman U.S. Financial Services Deloitte LLP

19

20 This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright 2009 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu DCS