This post is part of our occasional series on AML program fundamentals which focuses on refreshing foundational knowledge for experienced members of the AML community and providing an introduction to key topics for those new to the subject.
As we all know, BSA/AML compliance is complicated. Everyone connected with a financial services company (FI) plays a role in making the organization’s compliance program work – everyday. One critical group is this process is the FI’s board of directors.
Boards of directors for FIs have several responsibilities under the Bank Secrecy Act:
- Approving the BSA/AML compliance program
- Overseeing the management of the compliance program
- Appointing a qualified BSA officer for the institution.
Board members do not need to be BSA/AML experts and while they are ultimately responsible for the FI’s compliance, the day-to-day operation of the program is the responsibility of the BSA officer with the ongoing support of senior management. However, to carry out their oversight obligations, board members need an understanding of the BSA/AML requirements for their FI, which comes through effective training. They also need insight into the compliance activities of their FI, which comes through effective reporting.
Both the training and reporting are only useful if the directors have context for what they are learning and the information contained in the reports. This context comes from their understanding of the business of the company, their understanding of the specific AML risks faced by the company based on its business model, and their understanding of the regulatory environment in which the company operates.
Training for the board can take many forms, but should be designed to continually increase the members’ understanding of the requirements of the program and the risks the program is designed to mitigate.
On an annual basis, the board (or a designated board committee) must approve the BSA/AML compliance program. This is only the beginning of the board’s oversight of the program. The board should receive periodic reports about the operation of the program. The reports should be tailored to support its oversight activities and should include:
- Any changes to the business lines or product lines of the organization which impact its BSA/AML risk profile
- Any significant changes to the risk assessments performed in the program
- Information about any audit or examination findings related to the program and the timeliness and effectiveness of any remediation plans
- Information about SARs filed, including any SARs related to employees, officers or directors, and any patterns which illustrate any weaknesses in the program.
Beyond receiving information about these larger picture areas of the program, the board should be made aware of all of the activities that go into operating an effective program. One way to accomplish this is to provide the board with one or more dashboards which chronicle the functions of the program: time spent working with examiners and auditors, number of alerts, received, investigated, cleared or report on; time spent responding to law enforcement inquiries; time spent receiving training and developing and providing training; how many CTRs were filed, OFAC matches were adjudicated, CIP exceptions were resolved; and many other functions of the program. Using dashboards to show how the information is trending gives directors a useful picture of the health of the program. This type of information also helps the board have a sense of the scale of the program and the resources needed for it to operate productively.
Case studies of actual investigations that resulted in SARs and even better, law enforcement investigations, can also be very illustrative. The Key Risk Indicators (KRIs) noted above are great and a few well-chosen case studies really drive the point home. In many instances the board members are surprised at the type of financial crime the BSA/AML program has identified.
It is also important to ask the board what it wants to know about the program that isn’t included in the reports. Directors are smart, experienced business people, and bring an outside perspective to their work. Listening to their viewpoint can provide management with valuable insights into the customer experience and into ways that processes are handled in other industries.
So what is the most important take-away from all of this? Effective oversight is impossible short of quality information.