The ever-increasing importance of a robust BSA/AML monitoring system has become more than clear in recent years. However, an all-encompassing monitoring system often feels beyond the reach of the smaller financial institution. Resources are finite, and some institutions are left floundering when attempting to cover all their bases. What must your small financial institution do to determine whether its BSA/AML monitoring system is as sound as those applied by their far larger counterparts? In this two-part blog post, we’ll break down two essential elements that smaller financials must have in their BSA/AML monitoring systems.
Secret Weapon No. 1: Sufficiency
The first secret weapon is sufficiency. When we talk about sufficiency, we are talking about whether the monitoring completed in your institution, whether manually or through an automated system, completely covers all of the suspicious activities that should be monitored.
However, there are many other logistics that need to happen within an institution besides BSA/AML compliance. So, we also want to make the process efficient by completing a thorough AML review using the least amount of resources (like time and money) as possible.
The principles of sufficiency apply whether the institution has robust automated software or relies on a single employee conducting manual monitoring. The following are three areas to address when determining your program’s sufficiency.
Sufficiency Component 1: A Thorough BSA/AML Risk Assessment
If you don’t know what risks are facing your institution, you can’t possibly know whether your AML efforts are adequate. So the first step is to make sure your risk assessment is comprehensive. Following the FFIEC guidelines, look at the institution’s products and services offered, the types of customers and entities that have banking relationships with the institution, and the risks from geographic locations of the institution’s branches and customers or members. You’ll want to pay particular attention to specialized customers or members, as well as the products they engage in or with. This might include use of customers or members that are Politically Exposed Persons or non-resident aliens as well those that engage in international wires, cash intensive businesses, remote deposit capture or other forms of electronic banking.
Every institution has the opportunity to identify and monitor its higher-risk customers whether an AML automated system is in place or not. Knowing those customers and then conducting material investigations against known money laundering activities from a broad basis or from a specific basis as it relates to the customer or member type is foundational to a strong program.
Sufficiency Component 2: Know the Guidelines
Second, use the guidelines available from FinCEN, such as Guidance on Preparing A Complete & Sufficient Suspicious Activity Report Narrative. This document contains a list of some common patterns of suspicious activity. If you can show that your monitoring includes elements for all of these, or that the monitoring is unnecessary due to your financial institution’s particular set of circumstances, you’re already in good shape.
We typically look for what we call the seven “typologies.” This acts as a broad brushstroke to cover the activities mentioned by FinCEN:
- High-Risk Geographies
- Common Counterparties/Financial Nexuses
- Large Asset Movement
- Structured Currency Transactions
- Rapid Rotation of Funds
- Increases in Behavior
- Deviation from Risk Profile
Sufficiency Component 3: Does the System Match the Size?
The third principle of sufficiency involves asking, “Do we have the appropriate number of people involved in the monitoring, investigating, and reporting processes?” This will depend on the size of your institution; however, we recommend that even for small institutions, at least two employees should be capable of completing all of the steps involved for BSA compliance. Completing an annual staffing assessment either as a stand-alone exercise or as part of your BSA risk assessment is an important exercise.
And finally, does your institution have the right tools to monitor for the suspicious activities it faces? Using cash logs will only get you so far, as these only let you monitor for structured currency transactions and some instances of large movements of cash, but little else. If you need to monitor wire transactions, monetary instruments, remote deposit capture, or other types of activity, make sure you have the appropriate tools for the monitoring to be completed. Those appropriate tools could include reports, personnel experience, software, etc.
In summary, sufficiency is the element of BSA/AML monitoring that measures your systems ability to cover all of the suspicious activities that should be monitored in accordance to your institution’s risk profile. Next week, we’ll address the second essential weapon of the smaller financial institution’s BSA/AML monitoring efforts.
Ken Agle, President of AdvisX, our sister company, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution. For more information on BSA/AML services, contact Ken Agle.