Internal audit holding the line
on BSA/AML compliance
January 2014
At a glance
Increasing regulatory
expectations and other
external factors are
requiring internal audit
departments to improve
testing of their bank’s BSA/
AML compliance
Internal auditors
collectively must have
comprehensive knowledge
and a deep understanding
of BSA/AML regulations
and leading practices
A comprehensive BSA/
AML internal audit
program includes a robust
risk assessment, ongoing
monitoring, more effective
testing procedures, larger
samples, and consolidated
enterprise-wide reporting
Introduction
After a shaky five years in the world’s financial markets, US banking
regulators have continued their focus to reduce money laundering.
This supports the goal of governments to hit terrorist organizations,
corrupt foreign governments, and drug cartels where it hurts—by
putting the squeeze on their financing.
Creating a higher level of assurance around
regulatory compliance
How effective is
independent testing
of your Bank
Secrecy Act/AntiMoney Laundering
program?
Increased regulatory scrutiny and
focus of banks’ compliance with
the Bank Secrecy Act (BSA)/AntiMoney Laundering (AML), the USA
PATRIOT Act, and the Office of Foreign
Assets Control (OFAC) requirements
has uncovered some significant
irregularities and inadequate controls at
the nation’s banks. We’ve all seen banks
with assets from $10 billion to $2 trillion
censured for deficiencies and punished
with enforcement action levies.
Regional and community banks have
not escaped the higher expectations
regarding BSA/AML and OFAC.
Although smaller institutions have
regularly made the case that because
they operate domestically, employ
simple business models, and have a
lower-risk client base, they should be
exempt from the increased regulation.
Regulators, however, expect smaller
banks to implement processes and
Would your bank pass the test of regulatory
scrutiny? Do you really know how effective your
BSA/AML compliance program is?
2
Internal audit holding the line on BSA/AML compliance
controls for high-risk areas similar to
those of the larger institutions and
comply with all statutes.
Regulators have told stakeholders,
including board members and
executive management, that internal
audit departments must provide a
higher level of assurance of BSA/AML
and OFAC regulatory compliance,
and that related bank programs
and controls supporting these key
regulations are adequate and effective.
This means that all levels of bank
management and internal audit
need to gain a deeper understanding
of the BSA/AML/OFAC elements.
Additionally, regulators have expressed
that independent testing of the BSA/
AML and OFAC programs must
improve, and they expect internal
audit departments to provide a more
robust third line of defense at the
nation’s banks.
With these new expectations, internal
audit departments for banks of all
sizes must ask themselves some key
questions—and be prepared to act if
they don’t like the answers:
• Is the function still performing
BSA/AML/OFAC internal audits
as it did in the past, or has the
audit approach been updated to be
aligned with the new expectations?
• Is the internal audit staff
knowledgeable, and does it
independently, as defined by the
regulators, and effectively test all
components of the BSA/AML/OFAC
program?
In this paper, we’ll first take a closer
look at the factors influencing internal
audit and its role within the three
lines of defense of BSA/AML/OFAC
compliance. We’ll also examine some
of the weaknesses of inadequate BSA/
AML/OFAC internal audit programs
and what banks can do to help improve
their internal audit function so that
it can more effectively assess the
bank’s overall compliance with these
regulatory requirements.
• Do the internal audit resources have
the proper experience to assess the
bank’s BSA/AML/OFAC processes
and procedures in comparison to its
peers? And are they aware of where
the industry is heading relating to
these regulatory requirements and
expectations?
• What is the appropriate scope and
objectives for these types of reviews,
and what is the right amount of
hours that should be allocated?
Three lines of defense
First line
Operational, risk management, and quality controls
embedded within the lines of business
Second line
Quality assurance, risk management, validation, and
independent compliance testing
Third line
Strong internal audit
3
What’s driving the
need for change?
4
Since the publication of sections of
the USA PATRIOT Act between 2001
and 2004 that affected BSA/AML,
banking regulators have provided
guidance for only some elements of
the Act, such as Customer Information
Program (CIP), Customer Due
Diligence (CDD), and Enhanced Due
Diligence (EDD). Over the years,
organizations developed compliance
programs based on the guidelines
as they interpreted them. Finally, in
2010, the Federal Financial Institutions
Examination Council (FFIEC) created
the BSA/AML Examination Manual, a
comprehensive document providing
guidance on all elements of BSA/AML/
OFAC and the testing thereof. The
FFIEC BSA/AML Examination Manual
is objective based; and although the
objectives may still be the same in
2013, the expectations to meet them
have increased in many areas. This
much-needed examination guidance,
coupled with heightened regulatory
expectations, has paved the way for
permanent changes in how banks
comply with BSA/AML.
Internal audit holding the line on BSA/AML compliance
With most regulatory change, there’s
a period of transition where leading
practices are developed, a common
standard is achieved, and new
expectations and requirements are
defined. Since the financial crisis,
however, the transition period was
reduced. Regulators increased their
focus on BSA/AML/OFAC so fast that
many organizations were caught off
guard with inappropriate strategies
and inadequate people, processes, and
technologies in place. All three lines
of defense within many banks have
been found lacking. Not surprisingly,
the number of related consent orders
has spiked.
Regulators are looking to internal
audit as the third and final line of
defense to detect irregularities within
an organization’s BSA/AML and OFAC
programs, and to provide assurance
that the first two lines of defense are
effective. As such, organizations should
assess their internal audit departments
and resources against these changing
expectations to make sure they have
the people, processes, and technologies
in place to adequately perform these
assessments.
External factors
influencing change
To better understand the changing
landscape for BSA/AML/OFAC
compliance, we need to look at the
following three key external factors.
Internal audit departments need to be
mindful of these factors as they strive
to provide the greatest impact for their
institutions and stakeholders.
1.Increased regulatory scrutiny and
issuance of BSA/AML enforcement
actions and consent orders. US
regulators have issued many
consent orders and levied fines
against US and foreign banks for
non-compliance with BSA/AML
regulations during the last several
years. The Federal Reserve issued
113 enforcement actions between
2008 and early 2013 relating to
BSA/AML and OFAC.1 The number
of BSA/AML-related consent
orders issued by the Office of the
Comptroller of the Currency (OCC)
increased from an average of five
per year in 2007 through 2009
to an average of 14 per year from
2010 through June 2013—that’s an
increase of almost 200%. And of the
BSA/AML-related consent orders
issued since 2010, 75% included
articles indicating a deficiency
with the institution’s independent
testing and internal audit functions.2
This trend of enforcement actions
is consistent with consent orders
issued by the Federal Deposit
Insurance Corporation (FDIC) as
well. Regulators have raised their
expectations and the standard
to which they test against during
examinations. Bank policies,
processes, and procedures that were
acceptable two or three years ago
may not be adequate today.
2.Greater regulatory focus and
scrutiny on risk mitigation strategies
and controls that should be
implemented to curtail financing
of drug cartels, government
corruption, criminal activity and
terrorist organizations, as well as
the prevention of the movement
of money that is traceable to
other illicit activities and targeted
governments.
3.An increased regulatory focus on
technology, systems and the system
validation processes around these
technologies and data that support
BSA/AML and OFAC processes.
BSA/AML
BSA/AMLrelated
relatedconsent
consentorders
ordersissued
issuedby
bythe
theOCC
OCC
20
15
10
5
0
2007
2008
2009
1 “Anti-Money Laundering and the Bank Secrecy
Act,” testimony by Federal Reserve Board
Governor Jerome H. Powell before the Committee
on Banking, Housing, and Urban Affairs, US
Senate, Washington, DC (March 7, 2013); http://
www.federalreserve.gov/newsevents/testimony/
powell20130307a.htm.
2010
2011
2012
20133
2 Consent order information was collected from
the www.occ.gov from 2007 thru June 2013.
Estimated at 16 based on the 8 consent orders
issued in the first six months of 2013.
3 Estimated at 16 based on the 8 consent orders
issued during the first six months of 2013.
Consent order information was collected from
www.occ.gov.
5
Changing
expectations and
new regulatory
guidance
To help organizations of all sizes deal
with the increase in enforcement
actions and change in regulatory focus,
domestic and global regulators have
responded with new requirements and
guidelines clarifying expectations for
BSA/AML compliance, as well as for
internal audit. The chart below lists
many of the recent regulatory bulletins
and pronouncements of significance
to BSA/AML compliance and internal
audit. Collectively, these regulatory
changes have greatly impacted
BSA/AML stakeholder expectations
domestically, and AML and anticorruption expectations globally.
As we work with successfully compliant
banking institutions, including those
with assets between $10 billion and
$100 billion, we’ve observed that they
recognize the changing regulatory
environment and manage all aspects
of the requirements. These banks build
the right infrastructure and tailor it
to fit their particular organization
and risk profile. To manage the
complexities, they invest in their
BSA/AML and OFAC risk assessment
processes and their KYC (“know your
customer”) systems to support their
risk assertions. They realize these
processes are expected to be robust,
well documented, and updated on a
regular basis.
Recent regulatory bulletins
Federal Reserve SR 13-1: Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing (released January
23, 2013) provides guidance on the characteristics, governance, and operational effectiveness of an institution’s internal audit
function. It discusses the internal audit framework and provides regulatory guidance for many areas, including the need for
improvement with the function’s charter; its communication and reporting to the audit committee; its risk management and
monitoring activities; and its audit methodology, practices, and processes. www.federalreserve.gov
OCC 2012-30: BSA/AML Compliance Examinations (released September 28, 2012) states that an institution’s compliance with
BSA/AML and OFAC regulations could potentially impact the Management Component Rating of CAMELS and the Risk
Management and Compliance Ratings of ROCA. BSA/AML and OFAC compliance will have a more weighted effect on these
supervisory examination ratings issued by the OCC, FRB, and FDIC (these examination ratings are not available for public
consumption). www.occ.gov
Financial Crimes Enforcement Network (FinCEN), division of the US Treasury Department, pending proposal relating to the
collection of information of beneficial owners (released February 16, 2012) proposes rules pertaining to the potential expansion
CDD and EDD obligations for financial institutions. The intent of the proposed rules is to “codify, clarify, consolidate, and
strengthen existing CDD regulatory requirements and supervisory expectations.” www.fincen.gov
Financial Action Task Force (FATF) Recommendations (most recently issued February 2012). FATF is a global organization that
develops standards and requirements for all member countries. Its objectives are to strengthen global safeguards and further
protect the integrity of the global financial system by providing governments with stronger tools to take action against financial
crime, money laundering, and terrorist financing. The new standards provide enhancements to priority areas such as corruption
and tax crimes, and address new threats such as the financing of proliferation of weapons of mass destruction. www.fatf-gafi.org
OCC 2011-12 and Federal Reserve SR-11-7: Supervisory Guidance on Model Risk Management (released April 2, 2011) provides
guidance on the various model risk management activities, including expectations for internal audit. Internal auditors are
expected to conduct assessments to evaluate whether model risk management is comprehensive, rigorous, and effective. In
addition, internal audit should review supporting operational systems and evaluate the reliability of data used by the models.
Although not specified in the bulletin, the common AML models include the customer AML risk rating, sanctions screening, and
activity monitoring models. www.occ.gov and www.federalreserve.gov
6
Internal audit holding the line on BSA/AML compliance
Common
weaknesses of BSA/
AML/OFAC internal
audit programs
With the recent regulatory changes
and heightened expectations in BSA/
AML compliance as evidenced by the
wave of consent orders, banks and
examiners have found that many BSA/
AML internal audit departments’
testing programs are falling short in
the following areas:
• Audit teams are not knowledgeable
or adequately trained to review
BSA/AML and OFAC programs and
related elements. Furthermore,
auditors commonly do not have
the exposure to leading industry
practices. See the chart on the
next page for examples of common
internal audit knowledge gaps.
• Internal audit’s assessment of AML
risks and audit planning processes
are insufficient to develop an
effective testing plan and typically
do not leverage data analytics to
better focus on the risks.
• The scope and coverage of the
reviews are not sufficient, and the
level and intensity of testing are
not commensurate with the bank’s
overall AML risk profile.
• Testing procedures are not sufficient
or effective, with limited sample
sizes or enterprise samples that
do not include samples from
each entity. Much of the testing
is limited to inquiry, observation,
and inspection for activities where
re-performance testing would
be more appropriate, including
escalations, adjudications, and
alert investigations. Additionally,
data analytics are commonly not
used to execute specific tests during
the internal audit for increased
testing coverage.
Insufficient or ineffective processes which can impact BSA/AML/OFAC
Internal Audits
Testing procedures inadequate with insufficient testing
Risk assessments and planning processes are insufficient
No usage of data analytics in the audit cycle
Audit staff not sufficiently knowledgeable or trained
Level and intensity of testing not commensurate with AML risks
7
Internal Audit’s common knowledge gaps of BSA/AML regulations and leading practices
The chart below illustrates internal audit’s common knowledge gaps of the BSA/AML areas that typically require a
deeper understanding of the regulations and industry leading practices. These are also the BSA/AML areas that many of
the banks have difficulty complying with.
BSA/AML and OFAC compliance risk assessments and related processes (including linkage to monitoring activities, gap
assessments, control self-assessments, and methodology).
Risk factors included in risk assessments, and level of data analysis required (as well as the validation of data and related
data analysis).
BSA/AML program governance, including senior management and board reporting.
Reporting metrics, including changes in customer concentrations, transactional volumes, operational quality (error rates),
emerging risks, and staff training.
AML model and system validation activities. Data quality testing and review of other independent validation activities in
accordance with OCC 2011-12 and SR 11-7.
Typically, AML models include: (1) transaction monitoring routines or rules (2) KYC/AML risk rating models, and (3) sanctions
filtering and logic.
Collection of additional information and screenings of higher-risk customers, including identification and screenings of beneficial
owners and controllers.
Enhanced monitoring of higher-risk customers, including customer file reviews and transactional analysis, automated monitoring
systems, and management reporting.
Monitoring and identification of potentially higher-risk customer types and concentrations.
Automated monitoring and management reporting, including coverage of all customers and higher-risk products and services.
Transaction monitoring, including risks associated with data quality, scenario logic, and alert suppressions.
8
Internal audit holding the line on BSA/AML compliance
Critical elements of
independent testing
and internal audit
To meet the current regulatory
expectations relating to independent
testing of their BSA/AML/OFAC
program and elements, banks must
implement a “three lines of defense”
methodology:
As a result of regulator focus on
improving the third line’s oversight
of these programs, the BSA/AML and
OFAC internal audit program should
include the following critical elements
and activities:
• First line—Operational, risk
managment, and quality controls
embedded within the BSA
department and various business
lines with AML and OFAC related
activities.
• Knowledgeable and experienced
audit team with ongoing BSA/
AML and OFAC training provided
to staff. The audit team should
be AML certified, with specialists
to provide insights into industryleading practices and emerging
regulatory expectations, as well as
technical regulatory knowledge.
They should be used in all phases of
the assessment, including planning
activities, testing, and the review
of workpapers. If the internal audit
function does not have the requisite
knowledge internally, it should
retain specialists from outside of the
department or organization.
• Second line—Robust quality
assurance, model validation, risk
managment, and independent
compliance testing with end-toend testing of BSA/AML and OFAC
processes and controls.
• Third line—A strong internal
audit function that conducts
comprehensive independent testing
as defined by the regulators of
the BSA program, including an
assessment of the first and second
lines of defense activities and
governance. Approximately 75%
of the BSA/AML-related consent
orders issued by the OCC since
2010 included articles requiring
improvement of the banks’
independent testing as defined by
the regulators and internal audit
function.4
4 Consent order information was collected from the
www.occ.gov from 2007 thru June 2013.
9
Critical elements of internal audit continued
• Robust audit planning activities
that include an assessment of
BSA/AML and OFAC risks, and
ongoing dynamic risk monitoring.
A risk-based BSA/AML and OFAC
audit plan should be developed
annually and should adjust the level
and intensity of testing based on
risks and technological changes.
Additionally, internal audit should
consider employing data analytics
to continuously monitor AML
activity and identify emerging
AML risks that the organization
might be facing. The changes
in risks identified through the
risk assessment and monitoring
activities may impact the audit plan
and cause the organization to revise
the annual scope and depth of the
reviews accordingly.
• Effective audit approach,
procedures, and processes that
adequately assess all AML elements,
including the development of
robust risk and control matrices
(RCMs) and the creation of process
flowcharts identifying risks and the
key controls. The procedures should
include re-performance testing with
larger sample sizes to adequately
represent all risk factors, including
higher-risk customer types, products
and services, geographies, business
channels used, and transaction
volumes and values.
BSA/AML and OFAC Internal Audit program elements
BSA/AML policy with independent testing overview
Ongoing BSA/AML and OFAC training for internal audit staff
Ongoing dynamic risk monitoring activities
Robust BSA/AML and OFAC internal audit risk assessments
A risk based BSA/AML and OFAC audit plan
Adequate testing procedures and processes
Validation and tracking of issues
Comprehensive internal audit reporting to the board of directors
10
Internal audit holding the line on BSA/AML compliance
• Comprehensive and consolidated
macro-reporting of BSA/AML
operations across the entire
organization to the board of
directors, including the tracking of
outstanding BSA/AML and OFAC
issues, validation of actions taken to
address these issues, and the aging
of these items.
• Supplemental information to the
final report, including:
•Workpapers—testing scripts,
related templates, process
flowcharts and other
documentation—that are
complete and well written, and
retained for evidence
•Planning and other supporting
documents (e.g., data request
memos) that are included with
the workpapers and retained
accordingly
•Findings and management’s
related corrective action steps
that are documented and tracked
• Adequate validation testing
completed and documented within
a reasonable period of time, with
appropriate escalation of issues.
• Proactive steps when BSA-related
enforcement actions are levied
against their institutions. Internal
audit should assess the bank’s
remediation activities and provide
assurance that various work
streams are being implemented and
completed as planned, including
KYC remediation, suspicious
activity and other look-backs, and
the implementation of new AML
systems and technologies.
Building strength
out of change
The days of the BSA/AML checklist
audits are well behind us. BSA/AML
compliance is now heavily scrutinized
by the regulators for all banks, from
the small local banks to the largest
US financial institutions. Having the
right team with the right skills isn’t
enough; banks must take a risk-based
approach in developing an efficient
and strong BSA/AML internal audit
program—one that can hold the line
on compliance.
could potentially be in scope, including
model validation, with the level and
intensity of testing adjusted to risk.
Many internal audit departments
perform limited testing and/or select
limited sample sizes in each of the
areas in scope. If this is the approach
your internal audit takes, reconsider.
And finally, audit management and
staff must be able to present the
results and findings with clarity and
confidence.
In this new reality and regulatory
landscape, effective BSA/AML audit
programs include testing that is
performed by resources who are
objective and knowledgeable of the
subject. Internal audit must have a
strong understanding and knowledge
of BSA/AML processes. Robust
sample sizes and re-performance
testing should be incorporated into
the testing. More than 15 audit areas
Internal audit needs to detect BSA/
AML program irregularities before
the regulators do, especially if
they’re serious enough to trigger an
enforcement action. If it doesn’t and as
the final line of defense, internal audit
will likely be specifically identified as
a weakness in any BSA/AML-related
consent order levied against your
institution.
The 15 areas listed are considered to be the core requirements for testing, and they are consistent with the
FFIEC BSA/AML Examination Manual. Some banks may have more testing areas based on their unique risks,
organizational structure and profile.
BSA/AML Risk Assessment
OFAC
Currency Transaction Reporting
Exemptions
OFAC Risk Assessment
Suspicious Activity Reporting
Information Sharing
BSA/AML/OFAC Compliance
Program and Training
Activity Monitoring
Purchase and Sale of Monetary
Instruments Record Keeping
Customer Identification Program
Currency Transaction Reporting
Funds Transfers Record Keeping
Customer Due Diligence/Enhanced
Due Diligence (including Sections
312, 313 and 319b of the USA
PATRIOT Act)
Other Regulatory Reporting
Special Measures
11
www.pwc.com
To have a deeper conversation
about how this subject
may affect your business,
please contact:
John Tantillo
Risk Assurance - Partner
PwC
646.471.6729
john.tantillo@us.pwc.com
Monique Maranto
Advisory - Director
PwC
410.404.1905
monique.maranto@us.pwc.com
Jeff Lavine
Advisory - Partner
PwC
703.918.1379
jeff.lavine@us.pwc.com
Nick Mustafa
Risk Assurance - Manager
PwC
312.298.2093
nicholas.mustafa@us.pwc.com
Paul Hinds
Risk Assurance - Managing Director
PwC
224.723.4817
paul.hinds@us.pwc.com
Carmine Spinelli
Risk Assurance - Managing Director
PwC
646.471.8104
carmine.spinelli@us.pwc.com
© 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to
the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC US helps
organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms with more than 180,000 people in 145 countries.
We’re committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/us.
AT-14-0061