Making Sense of BSA/AML Validations

MRM | BSA/AML | Model Validation

April 4, 2021 marked the tenth anniversary of Model Risk Management (MRM) in the banking community. New interagency guidance for MRM related to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance was issued just five days later.

The issuance of that guidance brought BSA/AML back into the forefront of discussions, so my colleague Debb Gordon, Ph.D., formerly from the Consumer Financial Protection Bureau (CFPB), Citigroup Audit, and designated an Advisor to the U.S. Treasury Department, participated in an MRM discussion with the American Bankers Association (ABA) to share her thoughts and expertise on BSA/AML validations and answer questions from the group. This article provides a summary of the main points of Debb’s conversations on the call.

At the onset, there was confusion about whether BSA/AML transaction monitoring systems are indeed models or just a "rule" and not subject to MRM validation standards. Relying on her experience in validating BSA/AML models, Debb pointed out that most systems incorporate a structure of "if/then" statements, which are various rules. A rule, by itself, does not constitute a model; however, in BSA, there are a multitude of rules which will frequently have points assigned to them, and be totaled up. If the total exceeds a certain threshold, an alert will be triggered. For example, for a particular transaction, the amount is with a range of dollars, and the transaction type could be an outgoing wire transfer to an international designation; this same transaction may have occurred three times within the last five days. That transaction received one or more point values, but those point values by themselves are not necessarily sufficient to trigger an alert. However, when taken with other factors such as the details of the account holder or entity, the points may add up to a value tha