Making Sense of BSA/AML Validations
April 4, 2021 marked the tenth anniversary of Model Risk Management (MRM) in the banking community. New interagency guidance for MRM related to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance was issued just five days later.
The issuance of that guidance brought BSA/AML back into the forefront of discussions, so my colleague Debb Gordon, Ph.D., formerly from the Consumer Financial Protection Bureau (CFPB), Citigroup Audit, and designated an Advisor to the U.S. Treasury Department, participated in an MRM discussion with the American Bankers Association (ABA) to share her thoughts and expertise on BSA/AML validations and answer questions from the group. This article provides a summary of the main points of Debb’s conversations on the call.
At the onset, there was confusion about whether BSA/AML transaction monitoring systems are indeed models or just a "rule" and not subject to MRM validation standards. Relying on her experience in validating BSA/AML models, Debb pointed out that most systems incorporate a structure of "if/then" statements, which are various rules. A rule, by itself, does not constitute a model; however, in BSA, there are a multitude of rules which will frequently have points assigned to them, and be totaled up. If the total exceeds a certain threshold, an alert will be triggered. For example, for a particular transaction, the amount is with a range of dollars, and the transaction type could be an outgoing wire transfer to an international designation; this same transaction may have occurred three times within the last five days. That transaction received one or more point values, but those point values by themselves are not necessarily sufficient to trigger an alert. However, when taken with other factors such as the details of the account holder or entity, the points may add up to a value that could trigger an alert. Although not implicitly calculated, these events and rules add up to a probability of money laundering or terrorist financing.
The purpose of AML is to produce alerts that when analyzed lead to a meaningful Suspicious Activity Report (SAR) or Currency Transaction Report (CTR). AML is most often viewed as a "predictive model" in that it predicts an outcome – in this case, whether or not a SAR should be filed. The issue has been that institutions are unaware if the SAR that was produced is meaningful, because the Financial Crimes Enforcement Network (FinCEN) and Treasury have not been required to provide any feedback as to whether any particular SAR led to the capture of criminals. On January 1 of this year, Congress enacted the Anti-Money Laundering Act of 2020 as part of the National Defense Authorization Act, which now requires the Feds to share information on SARs with the financial institutions, allowing these institutions to enhance their systems via this feedback.
In most model validations, there is an outcome to compare against – thus far, however, the same cannot be said with BSA/AML. The validation performed will confirm that alerts are being managed and evaluated properly. For example, some rules use a defined quarterly period. Professional money launderers are crafty, so they make sure all of their transactions do not occur in the same quarter – they may cross over quarters to avoid detection. This may go unnoticed by the rules set by an institution, which may result in a finding in the validations that we perform. Analysts must have the ability to see the broader picture of activity that is generated from the model, system, or program. These types of factors are more representative of your level of risk than the actual model.
The new interagency guidance on MRM and BSA/AML indicates that BSA/AML models, systems, or programs require validation. Still, there was a question as to the requirements for validation. Debb pointed out that the determination is risk-based, noting the changes over the past year requiring regulators to risk rate institutions. Model risk managers look at risk rating from the perspective of risk and materiality, while BSA/AML follows the FFIEC BSA/AML Appendices - Appendix J – Quantity of Risk Matrix.
At DCG, we always perform an independent BSA/AML assessment of the client's risk per the FFIEC Appendix J to best align the validation with the institution's risk. It would be a beneficial exercise to review Appendix J for your organization and provide yourself a much stronger rating that can be used for BSA/AML risk validations and examinations. This would help to set the criteria for how often and how in-depth your BSA validation should be.
FFIEC Appendix J has 11 factors to evaluate based on a "Low/Moderate/High" risk rating scale:
Customer Base: stable and known is "low" & large and growing is "high".
Electronic Banking: none is "low" & extensive is "high".
Large Currency/Structured Transactions: few is "low" & significant is "high"
High-risk Customers: few is "low" & large number is "high" (High-risk customers would be non-resident aliens or Politically Exposed Persons [PEP]).
Foreign Correspondents/Pouch Activity: few is "low" & large number is "high" (Pouch activity consists of payable through accounts, prepaid cards, or trade financing).
Private Banking Services and Trust Accounts: considered higher risk for money laundering.
International Accounts: few accounts or low volume of activity is "low" & a large number of accounts and high activity is "high" (Within the international spectrum, it is helpful to look at country risk and regularly check against sources like the global anti-money laundering research site https://www.knowyourcountry.com/ or the Basel Country Risk Ranking Basel AML Index | Basel Institute on Governance [baselgovernance.org]).
Transfers for Customers/Third-Party Transactions: few is "low" & large number is "high".
Location Where You Do Business: is it a High-Intensity Drug Trafficking Area (HIDTA) or a High- Intensity Financial Crime Area (HIFCA)?
Transactions within High-Risk Geographic Locations: such as HIDTA or HIFCA.
Turnover of Key Personnel: this is one that many overlook; this is not just turnover within the BSA/AML area of the institution or management, it is also the front-end (tellers, customer service reps, branch personnel) who are in charge of collecting information on customers for CIP to determine customer due diligence (CDD) and potential for enhanced due diligence (EDD).
If your overall risk rating is low, the examiners may pay less attention, but if your rating is moderate to high, the level of scrutiny will be increased, and whether you consider BSA/AML a model, tool, system, or program – it will need to be validated at your determined risk level. When the validation is performed, the process will vary based on the risk ratings. If the rating is low, the validation most likely will not include services and products such as trade financing or correspondent banking or even need to consider practices involving Politically Exposed Persons (PEP). The validation would focus more on the governance, procedures, practices, and transaction testing. For example, items such as: is an escalation process in place; does the data reflect the rules; are the transaction codes mapped and processed correctly, would be reviewed. As the risk rating increases, so too should the level of scrutiny in the validation. The question of validation frequency was raised, and again Debb pointed to risk ratings as being the driver – the higher the risk rating, the more frequent the validation. Through Debb's experience, she has seen very large/risky banks validate every six months, while less risky institutions fall more into every two years (and the occasional community organization may stretch to three years if the risk is very low). Even if the validation is performed every two years, there could be areas that require a more frequent review. For example, the Treasury Department Office of Foreign Assets Control (OFAC) updates its sanctions listings almost daily. These sanctions lists, which include individuals and entities owned/controlled by targeted countries and individuals/groups (i.e., terrorists, drug traffickers) designated under programs that are not country-specific, need to be updated regularly if your process is internal and performed manually. If you utilize a vendor system, this should be updated automatically – so how you choose to manage your process directly impacts the frequency of your validation.
Unlike your other models, BSA/AML is constantly changing and evolving, so it is imperative that your policies, procedures, and practices (and training!) are updated to keep pace with the changes. This past year, COVID changed the game for BSA/AML with a new focus on PPP portfolios, elder abuse, working from home, and human trafficking (which doubled the number of red flags!). As you review your process, make sure all the updates have been accounted for within the policy, as the likelihood of getting cited is high if the policy is not current. An area that examiners often find deficient, resulting in consent orders, is insufficient CDD and EDD, so make sure these are being continually reviewed, updated, and there is sufficient training.
It was only a one-hour call with the ABA, and there were so many questions that Debb could have talked about BSA/AML for many more hours! This session was just the tip of the iceberg concerning the evolution of BSA/AML and the focus of validations. But the importance of closely monitoring the activity is critical and vital for all members of the organization to understand the potential impact. Under Model Risk Management Guidance, model risk comes from "incorrect or misused model outputs." A misused interest rate risk or credit model could result in reduced profitability, regulatory findings or, at worst, a consent order. But a poorly monitored or managed AML rule or model could incur significant fines (FinCEN and the federal banking agencies can bring civil penalties for BSA violations up to the greater of $1 million or twice the value of the transaction - see Capital One’s $390 million fine for “egregious AML compliance failures”) and reputational damage to the institution and its leadership. While BSA/AML may not be discussed in ALCO or most Board meetings, its impact on your organization has never been more significant. Make sure you pay it the attention it requires so you don't find out there is an issue when it's too late!
Learn more about our BSA/AML and Fraud Detection validation services.
ABOUT THE AUTHOR
Mark Haberland is a Managing Director at Darling Consulting Group. Mark has over 25 years providing balance sheet and model risk management education and consulting to the community and mid-size banking space. A frequent author and top-rated speaker on a wide array of risk management topics, Mark facilitates educational programs and workshops for numerous financial institutions, industry and state trade associations, and regulatory agencies.
Contact Mark Haberland: firstname.lastname@example.org or 978-499-8152 to learn more about DCG's approach to model validations (including BSA/AML) and Model Risk Management.
© 2021 Darling Consulting Group, Inc.