The reputation of a financial institution (FI) relies heavily on the conceptual soundness of its BSA/AML compliance program. Furthermore, the integrity of a FI’s compliance department depends on its ability to identify gaps and deficiencies in its compliance program. A functional way to identify gaps and deficiencies in a BSA/AML compliance program is through independent testing (one of the five pillars of an effective BSA/AML compliance program[i]).
The purpose of independent testing is to assist the organization’s Board of Directors when evaluating the soundness of their FI’s compliance program, and to identify areas for remediation. However, it can be difficult for FIs to understand the elements of independent testing, especially when conducted by a consultant or independent firm. Let’s examine several features of independent testing and what to look for when selecting an external company to conduct one for your FI.
Key Aspects of Independent Testing
The Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (“FFIEC Manual”) outlines independent testing requirements and expectations. As set-out in the FFIEC Manual, the purpose of independent testing is to assess the FI’s compliance with BSA regulatory requirements and assess the FI’s overall adequacy of the BSA/AML compliance program. The FFIEC Manual also indicates independent testing should be risk-based, and evaluate the quality of the FIs risk management in relation to money laundering, terrorist financing, and other illicit financial activity risks.
A FI may select the entity to conduct the independent review; the key component being that the auditor must be truly independent, and not involved in the creation or implementation of any functions being tested. This is to prevent any bias or conflict of interest when assessing potential gaps for program deficiencies. Typically, a FI will engage an outside auditor, consultant, or utilize their own internal audit department to conduct the review.
While there is no regulatory requirement to establish the frequency of independent testing, industry best practice is to conduct an independent review every 12-18 months or when there are significant changes to the FI’s risk profile, systems, or processes. The FFIEC Manual, identifies these concepts to be evaluated in an independent test:
- Is the Risk Assessment accurate and aligned with the FI’s risk profile (products, services, geography, etc.)?
- Are the FI’s Policies and Procedures aligned with their risk profile?
- Does the FI adhere to their own Policies and Procedures?
- Is the FI’s overall process of identifying suspicious activity sufficient?
- Is the FI’s record-keeping process sufficient?
- Are the FI’s IT sources/systems accurate and do they support the program?
- Is targeted and ongoing training provided for all appropriate FI personnel?
- Does the FI’s management take timely action to address deficiencies notes in previous reviews?
The purpose of independent testing is to uncover any violations, gaps or deficiencies in the FI’s BSA/AML compliance program. The benefit of a thorough Independent audit with robust testing is the potential identification of issues that can be addressed prior to any regulatory examinations. The independent reviewer should provide findings in the form of a “final report” that outlines noted gaps and deficiencies uncovered during the testing process. The independent reviewer should also provide recommendations to remediate these findings. It is critical these findings are communicated to senior management and the Board of Directors, and that communication with the Board is documented.
When a FI’s program is examined by its regulator, part of the requested information for the exam will be documentation of the most recent independent audit. The document request will include the final report and the related work papers. Regulators will use the work papers to fully understand the independent testing process, findings and scope of the review. If the report and work papers are found to be thorough and appropriate by the examination team, they may rely on portions of the report, rather than reexamining those topics or they may reduce the amount of testing they perform.
Outsourcing Independent Testing
It is not unusual to outsource your independent testing, but it remains the Board of Director’s responsibility to ensure the review is done accurately and conducted in a timely manner. To ensure the selected auditor is the best fit for the institution, the selection should follow the FI’s Vendor Risk Management Process.
Before selecting your independent auditor, it’s critical to do your due diligence. It’s important to ensure your selected auditor has experience in independent testing of BSA/AML compliance programs, and is proficient in the industry standards. The selected auditor should have a thorough understanding of the requirements and expectations outlined in the FFIEC manual. It is recommended to document your vendor selection process as well.
If the vendor passes your due diligence screening and you wish to engage, the specifics of the engagement should be memorialized in a written agreement. This is often done with a statement of work (SOW). A SOW should specifically outline the scope of a review, and outline the expectations, timelines, pricing, deliverables and responsibilities of each party involved.
It is critical that the FI and the selected audit team maintain ongoing communication during the engagement. This allows the auditors to bring deficiencies to the attention of the FI as soon as possible, and, in turn allows the FI to question any audit findings before the report is issued.
Finally, a thorough review of the final report should always be conducted by the FI before the report is issued. While we tend to gravitate towards the findings, discrepancies, and recommendations, reviewing the report as a whole will ensure that critical details were not overlooked, misinterpreted or incorrect. If gaps or deficiencies were noted in the report, the FI should take action to remediate these deficiencies as soon as possible. The remediation efforts should be documented in response to the noted deficiencies, and provided to the regulators alongside the final report.
AML RightSource Financial Crimes Advisory
As a team, we are thorough and take pride in meticulously identifying material observations and gaps in a compliance program. We also look for opportunities to provide our clients with best practice recommendations that may not warrant a “material observation” can still be valuable. In addition to presenting our clients their material observations and recommendations, we can provide personalized solutions to help the FI take action towards remediating.
Our FCA team has an expansive client base across covered Financial Institutions – not just banks and credit unions. We provide independent testing for Money Services Businesses, FinTechs, precious metals and gems dealers, and broker dealers, as well as other business types not covered by the BSA that have proactive AML Programs.
[i] 31 CFR §1020.210(b)(2)
For more information on our services, please contact us: