Auditing BSA/AML Live Training was on June 18th 2020. Here is a short clip talking about Independent Testing. Get it On-Demand now – https://store.bankerscompliance.com/link/BSAamlAudit6-20
Featured Topics were:
BSA/AML & OFAC Risk Assessments
Program Requirements (Controls, Testing, Training, Officer & CDD)
Customer Identification Program (CIP)
Customer Due Diligence (Including the Beneficial Owner Rule)
Currency Transaction Reports & Exemptions
Suspicious Activity Reporting Requirements
OFAC, 314(a) and 314(b) Requirements
See BSA/AML Free Tools Here – https://store.bankerscompliance.com/link/BSAFreeTools
Independent testing, now we’re up on page 24. So we’ve gone through the system of internal controls, you have your checklist of things that you’re going to be looking for. But really keep in mind, you’re thinking through how this process works and looking for gaps in their system. On the independent testing, we actually got more guidance on how to evaluate independent testing than we had previously. Again, look at the italics on page 24 here, it’s all from that exam manual update back in April. What areas are they going to be looking at? It hasn’t changed a whole lot, they still require that this independent test must be independent.
In other words, if you have it being done internally, the people who are conducting this independent review need to be outside of the function of the BSA program. And for a lot of banks, that’s a luxury they simply don’t have. The people who have the specialized training to do BSA, they’re the ones doing the BSA. They’re the ones who are keeping the program afloat and managing it. They don’t have someone who’s completely independent who can conduct that review. So there’s special instructions on how to evaluate that.
Look at number two, things like, is there documentation of the qualifications or competence of that person conducting the BSA review? And this is something I’d encourage you to document if you have an internal, or even if you have an external person, check all of these things off if you’re managing the program. Overall audit experience, specific BSA expertise, internal versus… Is it internal or external, and are there references or some other indication that they know what they’re doing? The other thing to keep in mind here is that, all of your independent reviews should also be looking at the work papers from the previous independent reviews. They should be evaluating at least, what type of review was your previous review? And if you’re doing the independent review, you should be looking at the work papers from the previous one.
Frequency, again, they did change this a little bit. If you remember, and if you look at the bottom there, it’s every 12 to 18 months. That language is still in there, but it says, “More frequent testing may be appropriate when there were errors or deficiencies that were identified.” So keep in mind, this shouldn’t be on cruise control, and a lot of banks that go through and they set it, okay. “Our board set this at 12 months, and so we’re going to keep doing this over and over again every 12 months. And we don’t really worry about it.” Or maybe it’s 18 months. “Every 18 months, we do our independent review.”
However, what that language is saying is if it looks like there was something identified, a specific issue. Or maybe there was a change in the program, like you’ve started up your beneficial owner portion of your program and nobody’s getting it right. It’s just not working right. That may be a reason to have an independent review or independent testing, that is sooner than what may be in the program itself. And that’s something for the BSA officer to be communicating up the chain. Oh, hold on, let me get to… Another thing, when you are looking at the independent test that was conducted by maybe another person, or maybe you’re looking at the work that you did last time. Take a look at this list on 25 and 26, these are the minimum requirements. This is what every independent test should have.
So let’s look at it. You should have an overall evaluation of the program. So where they go through and they say, “This program is working.” Or, “There’s significant problems with this program and a number of areas.” So they have to have that overall statement about your program. And then also when you’re… And maybe you’re doing the independent tasks, but looking at things like the risk assessment, laying out what exactly the transaction testing was, evaluating the corrective actions. So I would go through and use this as a checklist, to go through and make sure both the previous independent test was proper, and has all of the bits that it was supposed to have. But then also as a checklist for you, when you’re putting your report together, that you’re hitting all of these areas if you’re doing that independent test.
On page 26 at the bottom of the page, I would circle letter K. Letter K, that is a new bit, new guidance and it does specifically address, and you can read it out there. “Did the independent testing sufficiently cover ML/TF and other illicit financial activity risks within the bank’s operations? And whether the frequency is commensurate with the bank’s risk profile.” So it’s a requirement now that your independent test specifically looks at that money laundering terrorist financing risk, and whether the program they’re looking at actually incorporates it properly. So all of these things need to be addressed by that independent test.
And then finally on page 27, as you get into it there’s, what kind of documentation is necessary? Again, the audit scope and the procedures and the transaction testing, it should all be laid out in the work papers from the review. There should be an audit report, look at letter B there, that really articulates what the findings are and what the recommendations are for management. So that they can take those findings and then really apply them to the program because keep in mind, the whole purpose of this independent review is to look for blind spots. Look for problems, and then to communicate it to management. So it should have an executive summary, it should lay out the scope, and it should have those specific findings there.
And then look at number six. I’d write in there, “Follow up.” Don’t just let a report sit out there, and if you’re looking at an independent review that had some issues that were identified. And you cannot see documentation that management followed up on it, that to me would be a problem. It’s a weakness in their system. So, was that report presented to the board? Was there some kind of division of labor, did they even address the problems? Even if it’s something that said, “Okay, our previous report made this recommendation, but we’ve evaluated it. And we decided we are not going to do this at that time, and here’s why.” That’s fine with me, at least they addressed it. Now, I may disagree with their decision, but it’s better than just leaving it blank. So keep in mind that management response and follow up is something that should be looked at, when you’re evaluating an independent review.