This post was originally published by CU Insight.
Everyone who drives a car knows that the cost of ownership doesn’t end when you walk out of the dealership with the keys in your hand. Cars require constant care and tuning up (not to mention that dreaded emissions test every year). Similarly, your anti-money laundering (AML) system can’t be merely turned on and then left to its own devices. These systems also require constant care and tuning up in the form of validation and optimization.
As I’ve traveled the country to assist financial institutions with their AML systems, I’ve found that there are many different ways to conduct a system validation. However, through the years, I’ve noticed three things in particular that institutions can do in advance of an AML validation to ensure that it is time productively spent, whether you do it yourself or engage outside help.
1. Reports from Core and AML Systems
The first step is ensuring that your institution is equipped with a thorough report from both the core system and AML monitoring system, the lack of which absolutely gets in the way of completing a validation. The kind of report you’re looking for has data for every transaction conducted by the institution during a given period of time and should include (at a minimum):
- Account number or a unique identifier
- Name of the customer
- Transaction code
- Transaction ID/trace number
- Amount involved in the transaction
- Date the transaction occurred
- Account type identifier (i.e., consumer or commercial).
The AML system report should include the above items as as well as:
- Alert ID
- AML rule that generated the alert
You need to make sure you have these complete reports as a solid foundation before you begin your validation. If you don’t, talk to your core and AML system providers.
2. Transaction Codes
The next vital step is something that, if inoperative, would be noticed during the validation itself: improper transaction code mapping. Each type of transaction (e.g. check deposit, ACH transfer, checking account withdrawal) is assigned a transaction code. If an institution doesn’t have an accurate “map” of what its transactions codes are, meaning that each type of activity has its own specific code and this code matches what is put into the AML system, there will be a lot of issues with validation. This is because we cannot ensure that the system is accurately monitoring for specific transactions if the transaction codes don’t match up in the first place.
For example, if a wire transfer (which typically involves larger monetary amounts) is correctly coded by the core system but incorrectly coded by the AML system as a cash transaction (which arouses suspicion in large monetary amounts), it may generate an unnecessary alert.
This kind of error is surprisingly common. Once identified, taking the appropriate steps to resolve through modification of the AML System through revised mapping is critical. Once completed, a set of new tests should be conducted to ensure that the correction is effective and that the core system’s data matches the transaction codes read by the AML system.
3. Support Documentation
The third critical step is to make sure that the information in the core system can be verified. What this involves during validation is, again, selecting a random set of transactions from a variety of activity types and comparing them to the support documentation—the original document used by the customer ordering the transaction. Any thorough AML system validation will include this step, but it can be a challenge for many institutions to be able to produce the supporting documentation efficiently. For some transactions, like wire transfers, there is a physical form (or electronic copy of the physical form) describing who ordered the wire, the account the wire went to, the date it was to be carried out, etc. These types of records are typically easier to produce. During validation, we take those documents and compare them to the core system to make sure the core contains the accurate information associated with the transaction.
Where institutions often run into trouble is for some of the more difficult transaction types, such as ACH transactions and, surprisingly, currency transactions. Institutions frequently have a hard time finding full supporting records. Even though there may not be a tangible form or document involved, there is typically something (such as an online form, an electronic record, a ledger ticket or equivalent) that contains instructions for issuing the order or verifying that currency was involved. That’s why the third key to an effective validation is good record retention (and retrievability) of support documentation, including that of electronic records.
Following these three steps before validation can ensure a smooth AML validation that is likely to be far less painful than sitting in our local auto shop for an hour followed by a lecture about the perils of deferred maintenance and a pitch for how you can make things right again with your poor car.
Ken Agle, President of AdvisX, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution.