RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM

Transcription

1 RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM

2 Anti-money laundering (AML) regulations are at times challenging for banks. Emerging risks and increased scrutiny and regulatory enforcement are putting intense pressure on Bank Secrecy Act (BSA) compliance programs and processes. Banks must meet the expectations of their regulator, and BSA programs must evolve as the AML risk environment is in a constant state of change. AML processes that were sufficient in the past may not be as effective today, and new risks and expectations based on challenges observed at other institutions may lead to regulatory gaps and deficiencies within your BSA/AML program. The importance of benchmarking and understanding how peers are organized and responding to AML challenges is critical to improving your BSA program. Knowing how other banks of similar size, complexity and risk are structuring their AML compliance activities and managing evolving regulations helps you to identify opportunities for improvement and keep your BSA/AML program relevant. The RSM Anti-Money Laundering Survey was conducted, and the results summarized to help banks benchmark their AML efforts against their peers. Our survey profiles AML departments of U.S.- based commercial banks between $500 million and $20 billion in assets. The survey covers AML functional structure, staffing levels and certifications, costs, risk tolerance, performance of key compliance processes, technology and training, and it provides data that enables institutions to better evaluate the performance of their AML departments by comparing themselves to their peers across key factors. Our survey results indicate that banks are generally satisfied with the effectiveness of the BSA/AML function and quality of BSA/AML risk assessments that drive their BSA program, with 95 percent of survey respondents indicating they are satisfied or somewhat satisfied with each. In addition, 85 percent of respondents responded favorably when asked about board involvement with the BSA/AML function. This is a positive sentiment, as bank governance appears to be improving and trending in the right direction. 1 I Learn more at rsmus.com

3 The survey found that almost all surveyed institutions take a centralized approach to their AML structure, with only 1 percent implementing a decentralized strategy. However, AML staffing is generally limited, with over 70 percent of respondents indicating they have five or fewer full-time employees responsible for AML. In response, banks may need to evaluate staffing levels to determine if their AML internal controls used to mitigate money laundering and terrorist financing risks are being executed effectively. The changing AML environment and differing compliance strategies likely contribute to a lack of measurement, consistency and documentation of suspicious activity case investigations by the survey respondents. The survey found that the time spent conducting enhanced due diligence (EDD) reviews, clearing suspicious activity alerts or investigating escalated alerts varies significantly between banks of all sizes. In addition, the survey details several trends within AML processes and activities, including: Budget increases are expected: Reflecting increased regulatory scrutiny, AML budgets are currently stable, but many expect them to rise by a median of 10 percent. Outsourcing is prevalent: Many institutions leverage outside resources to ease the AML compliance burden, with a majority of survey respondents outsourcing BSA/AML internal audits and AML model validation testing to ensure that the practitioners have the requisite skills to complete these assessments.. Banks seek greater AML efficiency: While effectiveness is the main objective of the AML function, BSA/AML activities are time-consuming. Additional training may be necessary: Awareness is a key regulatory requirement, but while web-based training is prevalent, in-person training and training budgets may need more attention. The AML compliance environment is ever-evolving, and banks will need to continuously improve their BSA/AML programs to address these changes. This survey provides a unique glimpse into the AML compliance efforts of over 100 financial institutions nationwide to help you benchmark your bank s BSA/AML program against your peers to hopefully identify areas for enhancement. PROFILE OF PARTICIPANTS 132 TOTAL PARTICIPANTS ASSET SIZE 39% $50M-$1B 12% WEST 55% $1B-$10B 39% MIDWEST 8% $10B-$20B 19% NORTHEAST 30% SOUTH RSM Anti-Money Laundering Survey I 2

4 SURVEY RESULTS Department structure strategies How AML departments are designed is a key factor in successful AML programs. The RSM AML Survey finds that almost all departments are centralized, with 99 percent implementing a centralized BSA/AML compliance structure. Among survey respondents, the title most often responsible for the BSA/AML function is the BSA/AML officer or director (53 percent). Those often responsible include the chief compliance officer (16 percent), chief risk manager or officer (10 percent) and compliance officer or vice president (9 percent). Of course, the AML department budget is an important consideration, and the survey finds that the median annual operating budget for BSA/AML compliance is $200,000. While 62 percent expect their budget to stay the same in the next year, 36 percent expect theirs to rise. Of those respondents, 44 percent expect it to rise from 5-10 percent and 26 percent of respondents envision an percent rise. Figure 1. Total annual operating budget for BSA/AML compliance 2% Decrease 36% Increase 62% Remain the same Understandably, larger counterparts typically have bigger budgets and see more growth in the future. According to respondents from large banks, they have a median of $250,000 budgeted for BSA/AML compliance, with 49 percent expecting growth. Thirty-six percent of respondents expect 5-10 percent budget growth and 34 project increases between percent. Maintaining effective staffing levels With the increasing expectations of an AML department, banks may need to reevaluate their BSA/AML staffing levels. In many cases, regulators are requiring increases to BSA/AML staff, and banks have often been conservative when filling compliance departments. Our survey data shows a significant difference between BSA/AML staffing at smaller and larger institutions, although that disparity may need to shrink due to evolving regulatory demands and the need to improve execution of internal controls within BSA/AML programs. All told, over 70 percent of banks had five or fewer full-time employees (FTEs) dedicated to BSA/AML compliance. Forty-two percent of respondents have less than three BSA/AML employees, while 29 percent have 3-5 employees and 13 percent employ 6-10 employees. Figure 2. Number of BSA/AML employees < $200,000 Total annual operating budget for BSA/AML (median) The survey responses related to AML budgets indicate that smaller banks have a median annual investment of $50,000. Twenty-four percent of those respondents expected a budget increase, with 66 percent of that group projecting a 5-10 percent increase and 27 percent forecasting a less than 5 percent increase. Our study found that small banks generally have less than half the number of FTEs responsible for BSA/AML compliance compared to large banks. Eighty-seven percent of smaller institutions have fewer than five FTEs while only 53 percent of larger counterparts had that same amount. Figure 3. Number of BSA/AML employees by asset size $500M-$1B $1B-$20B < I Learn more at rsmus.com

5 In addition, approximately three out of four (76 percent) large banks have at least one Certified AML Professional, while just over half (54 percent) of small banks have one. Interestingly, the survey shows that 64 percent of smaller institutions have Certified Regulatory Compliance Managers, but only 58 percent of large banks do. Also, nearly half of large banks (48 percent) employ a Certified Fraud Professional, compared to just over a quarter (26 percent) of smaller institutions. Nearly 30 percent (29 percent) of respondents expected to increase FTEs in the next year, while 70 percent expect staffing to remain the same. Some reasons cited for increasing BSA/AML personnel include implementing new processes or software, as well as volume changes or changes in bank structure through acquisitions. However, many banks do not foresee adding staff because no change is deemed necessary. Not surprisingly, larger banks are looking to invest more in BSA/AML FTEs than smaller institutions by a significant margin. Nearly half of larger banks (48 percent) expect FTE investments to rise over the next year, while 89 percent of smaller banks project that their staffing will remain the same. Figure 4. Expected change in # of FTEs 11% Remain the same 89% Increase 1% Decrease 51% Remain the same 48% Increase AML efficiency challenges Effectiveness is the main goal of the BSA/AML function, both in terms of regulatory compliance and risk mitigation. However, while most respondents (95 percent) indicated that they are satisfied with their function s effectiveness, BSA/AML activities remain time-consuming. Figure 5. Satisfaction with BSA/AML function Effectiveness of function Quality of risk assessment Board of directors involvement Very satisfied Somewhat satisfied Neutral Somewhat dissatisfied Very dissatisfied Efficiency of function Our survey illustrated that the levels of effort for customer due diligence, the initial review of alerts or case investigations of escalated alerts vary dramatically from bank to bank. The median time reported to complete either an EDD review or an escalated alert investigation is two hours, while the median time to clear a suspicious activity alert is one hour. However, the range of times reported for each of these activities is very broad from 15 minutes or a half-hour to 48 hours. $500M-<$1B $1B-<$20B As a result, the average times for these functions are well above the median times, suggesting opportunities for enhanced efficiency on the higher end (i.e., possibly spending too much time in some instances) and opportunities for risk mitigation (i.e., possibly spending too little time in some instances). In addition, the range of times for key activities suggest that these opportunities and risks exist for both small and large banks. The variance likely indicates a significant difference between the quality of review and investigation and the clearing of alerts. RSM Anti-Money Laundering Survey I 4

6 Figure 6. Average time required (in hours) by asset size Average time required (in hours) Mean Median Conduct enhanced due diligence (EDD) Total $500M up to $1B $1B up to $20B Clear a suspicious activity alert Total $500M up to $1B $1B up to $20B Investigate an escalated alert Total $500M up to $1B $1B up to $20B The disparities within these numbers are likely partially attributable to varying definitions of EDD. One potential benchmarking exercise is documenting EDD reviews against processes from another established institution. In addition, the upcoming implementation of the customer due diligence final rule should help increase consistency because it s not only for obtaining information for beneficial owners, but also for understanding and documenting the nature and purpose of the customer relationship and the ongoing updating of customer information. Many institutions also want to understand if they are filing enough Suspicious Activity Reports (SARs) and completing investigations, reviews and validations in comparison to their peers. Each bank has its own unique risk profile, complexity and customer base, but the volume of activity that our survey identified further amplifies potential risks and opportunities. Based on our research, banks file an average of 16.3 SARs a month, with complete investigations, 39.5 complete EDD reviews and 2.7 model or system validations. The median for these processes were five, 15, 15 and one, respectively. Figure 7. Frequency of investigative tasks Average frequency (per month) Mean Median Suspicious Activity Reports (SARs) Case investigations EDD reviews Model and system validations The popularity of outsourcing Outsourcing is a critical strategy for banks to increase efficiency and leverage critical skillsets that the institution may not possess internally. According to our survey, the functions that banks most often outsource through third parties are BSA/AML internal audits and AML model validation testing. Institutions often do not have these skillsets internally, so utilizing experienced external resources is often necessary and beneficial. Our research found that 62 percent of respondents outsource BSA/AML internal audits, while 53 percent use third parties for AML model validation testing. Some institutions also outsource quality control reviews (8 percent), AML risk assessments (5 percent) and regulation interpretations (2 percent). Figure 8. Outsourced BSA/AML compliance functions BSA/AML internal audits AML model validation testing Quality control reviews AML risk assessments Regulation interpretation Do not outsource 0% 10% 20% 30% 40% 50% 60% 70% Additionally, in many cases, it does not make sense to hire FTEs that are highly skilled and proficient with these processes because they are once-a-year exercises. For AML model validation testing, outsourcing can provide the competence required to provide an effective challenge to AML models and their underlying assumptions, while the strategy enhances BSA/AML internal audits with resources that are well-versed with industry standards, and understand AML risks and how other similar institutions implement practices, policies and procedures. Outsourcing generally proves to be more efficient, cost-effective and provides better results than internal efforts. Some smaller banks don t have an internal audit function, so they have to outsource the entire department. However, larger institutions may have an internal audit department, but will still outsource BSA/AML reviews because of the complexity of the regulations and related activities. 5 I Learn more at rsmus.com

7 In fact, our survey found that larger banks were significantly more likely to outsource BSA/AML internal audits and AML model validation testing. Sixty-five percent of larger banks used third parties for BSA/AML internal audits, while 59 percent of smaller institutions outsourced the process. Fifty-eight percent of larger institutions outsourced AML model verification testing, compared to 48 percent of smaller counterparts. Figure 9. Outsourced BSA/AML compliance by asset size BSA/AML internal audits AML model validation testing Quality control reviews AML risk assessments Regulation interpretation Technology investments and objectives Technology is a critical factor in BSA/AML compliance, helping banks keep pace with emerging risks and leading industry practices. Banks must have effective systems and quality data in order to have an effective BSA/AML program in place. Our survey underscores the importance of technology in AML compliance. Nearly nine in 10 (86 percent) banks use software to identify suspicious activity. Larger banks are more likely to leverage software for this purpose, with 96 percent making software investments to diagnose questionable activity, compared to 77 percent of small banks. Figure 10. Does your organization use software to identify suspicious activity? Yes No Do not know $500M-$1B $1B-$20B $500M up to $1B $1B up to $20B Do not outsource 0% 10% 20% 30% 40% 50% 60% 70% At both small and large institutions, the primary objective for BSA/AML compliance software investments is to enhance effectiveness, followed by increasing efficiency. Two-thirds (67 percent) of larger banks utilize software for more effectiveness, while 26 percent seek process efficiencies. In smaller banks, our study found that 60 percent target effectiveness with BSA/AML software implementations, while 31 percent list efficiency as the primary goal. Figure 11. Primary objective for BSA/AML software $500M-$1B $1B-$20B More efficiently identify suspicious activity More efficient process Satisfy regulators Risk score customers more effectively In addition, our survey found that budgets for suspicious activity monitoring software were much higher than other BSA/AML activities. Among all banks, the median annual budget for suspicious activity monitoring software was $30,000, followed by case management ($20,000), customer risk scoring ($19,000) and SAR reporting ($18,000). Figure 12. Median annual budget for software Suspicious activity monitoring Case management Customer risk scoring SAR reporting OFAC sanctions screening Currency transaction reporting $0 $10K $20K $30K $40K $50K RSM Anti-Money Laundering Survey I 6

8 Training programs and budgets Ongoing training is a regulatory requirement for BSA/AML compliance, in order to keep up with a rapidly evolving risk environment and trends. However, our survey shows that while almost all banks invest in training programs, some strategies may require adjustments to align with regulatory demands. Survey data shows that the median annual budget for BSA/ AML training is $5,000. Twenty-six percent of respondents spend between $5,000-$10,000 per year, while 19 percent spend between $10,000-$20,000 and another 19 percent have a budget between $1,000-$2,000. Figure 13. Total annual budget for BSA/AML training $0 $20K+ $1-$2K Figure 14. Training budget change expectations Total $500M-$1B $1B-$20B Decrease Remain the same Increase Views on risk tolerance In a threat-rich environment, banks must carefully consider their risk tolerance to stay in compliance with BSA/AML expectations and effectively protect the banking system from money laundering. Our survey shows that risk tolerance varies greatly between different bank sizes. $10K- $20K Median $5,000 Fifty-nine percent of larger institutions have a moderate risk tolerance, and 35 percent have a low tolerance. Comparatively, 44 percent of smaller institutions have a medium tolerance and 53 percent have a low tolerance. Few large or small institutions considered themselves to have a high risk tolerance. Figure 15. What is your organization s risk tolerance High Medium Low $5K-$10K $2K-5K Survey data shows that almost all (94 percent) banks utilize web-based training for employees. Sixty-eight percent of respondents perform in-person BSA/AML training, but only 43 percent leverage external training and seminars. As mentioned earlier, regulators expect employees to stay abreast of trends and threats, and external training can provide a new perspective on risks and how other institutions are reacting. Many banks are looking to increase training budgets, with larger banks projecting a BSA/AML budget increase in the next 12 months than smaller institutions. Twenty-nine percent of large banks expect a training budget increase in the coming year, while 70 percent think their budget will stay the same. Among smaller institutions, only 12 percent see a budget increase and 86 percent expect a stagnant training budget. $500M-$1B $1B-$20B Our survey provided interesting insights into how institutions categorize their customer and product risks. When considering their inherent risk from products and services, 4 percent of respondents categorize those risks as high, while 46 percent view them as medium and 50 percent view them as low. For the inherent risk of the customer base, 7 percent of institutions see it as a high risk, with 47 percent as a medium risk and 45 percent as a low risk. Finally, 15 percent consider geographical risk of customers locations and transactions as a high risk, with 47 percent viewing it as medium and 38 percent rating it as low. 7 I Learn more at rsmus.com

9 Figure 16. How would you characterize the Inherent risk of products and services High Medium Low Inherent risk of customer base Geographic risk of customers locations and transactions What s next for AML? The AML environment for financial institutions is very fluid, with regulations and regulatory expectations evolving to account for rapidly emerging risks. With the threat landscape changing on almost a daily basis, primarily due to risks linked to criminal activity and terrorist groups, BSA/AML compliance is and will continue to be a complex activity. Banks of all sizes need to carefully consider how to implement a risk tolerance, department structure, outsourcing strategy, training program and technology framework that is both effective and efficient. Benchmarking is a critical exercise to assist banks with maintaining and enhancing their BSA/AML programs, even though that may have been difficult in the past. However, this survey can help banks understand the compliance activity of peers, and implement or adjust processes to increase their BSA/AML program s effectiveness. RSM Anti-Money Laundering Survey I 8

10 ACKNOWLEDGEMENTS Survey methodology The RSM Anti-Money Laundering Survey was conducted by Minneapolis-based Barlow Research, an independent marketing research company specializing in the financial services industry. Survey results are based on the responses of 132 qualified respondents drawn from a stratified random sample from U.S.-based commercial banks with assets from $500 million-$20 billion in assets (according to the FDIC). In addition to the institutional asset-size requirements, participation in the study was limited to senior-level officers and managers responsible for oversight of the BSA program at their respective institutions. A paper-based invitation was distributed and respondents had the option to complete the survey via mail (41 percent) or online (59 percent) between Jan. 9 and March 4, Data was weighted by region and asset size to be representative of the total population of domestic banks in the determined asset range. For more information Nick Mustafa, Director , nick.mustafa@rsmus.com Patricio Perez, Partner , patricio.perez@rsmus.com Ty Beasley, Principal , ty.beasley@rsmus.com Rob Farling, Director , rob.farling@rsmus.com Individual responses to the survey are confidential and accessible only by RSM and Barlow Research. Survey data will be shared with third parties only in aggregate form, through RSM articles, white papers and presentations. 9 I Learn more at rsmus.com

11

12 rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP RSM US LLP. All Rights Reserved. sv-nt-ras-fi-0317-aml survey