Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Auditing the Effectiveness of Your AML Program

By Michael Zeldin
March 01, 2004

The Federal Reserve Board and the New York Department of Banking have adopted a strict-review standard in their evaluation of the effectiveness of the Anti-Money Laundering (AML) compliance programs of financial institutions. Recent enforcement actions demonstrate that regulators pay particular attention to the effectiveness of Suspicious Activity Reporting (SAR) and Currency Transaction Reporting (CTR) as key components. In addition, an effective audit program must focus on the other essentials: Know Your Customer (KYC), Training, and Testing. How can you be sure that the institution you advise is prepared for a money laundering audit?

While the specifics on how best to accomplish this will depend on the customer base of and products sold by the institution, several constants apply to most retail operations. (Institutional customers present their own challenges and are not specifically addressed in this article.)

To understand the mindset of a bank regulator approaching an AML retail-bank audit, let's take a step back before moving into the specifics.

The Patriot Act Communications System (PACS)

The PACS system is an automated CTR/SAR Filing System used by the Financial Crimes Enforcement Network of the Treasury Department (FinCEN). It allows any institution to file CTRs and SARs electronically. FinCEN expects all institutions to migrate to this system promptly, for two reasons. First, the government, using sophisticated data mining tools, will be better able to analyze trends across a broad spectrum of financial information. Second, institutions fully geared up to avail themselves of PACS will have an in-house electronic database enabling them to spot trends and flag risky transactions in connection with their CTR/SAR filings. Smarter data from financial institutions makes the government smarter as well.

The compliance department should perform an in-house analysis of this kind with help from the IT department, and Audit should test its effectiveness.

FinCEN Studies the CTR Exemption System

FinCEN recently published a report pursuant to ' 326 of the Patriot Act on the CTR exemption process. The report reflects FinCEN's growing frustration with the overwhelming numbers of CTRs that are of little law enforcement value. From the perspective of the regulators, if financial institutions are not actively engaged in the process of examining their Phase II exemption practices to insure that all entities that can properly be exempted from the CTR filing requirements have been weaned out of the system, they are failing to meet their responsibilities under the Bank Secrecy Act. The less non-probative information the government receives from financial institutions, the smarter it can be in tracking money laundering and terrorist financing. Audit has a key role to play in insuring that the CTR filing system is not just junk in/junk out. With this background, we can now address the key components of an audit program.

Follow the Money

The key to auditing the effectiveness of an AML compliance program is to “follow the money” throughout the financial institution. That is, all entry and exit points into and out of the financial institution must be identified and examined so that internal controls can be established. Likewise, following the money allows audit to ascertain whether the AML procedures are being followed in accordance with AML policy directives. For example, with respect to currency transactions, questions that must be answered include:

  • Does the institution properly aggregate all cash-in/cash-out transactions for customers and non-customers in relation to sales of monetary instruments; sales of funds transfers; and sales of foreign currency?
  • Is the institution aggregating all transactions with respect to ATM deposits and withdrawals, both domestically and internationally?
  • If the institution engages in transactions with non-customers, can you be assured that you are tracking point-of-sale transactions for the cashing of travelers checks, sales of monetary instruments and wire transfers?
  • If the institution engages in foreign currency exchanges, are they being accounted for in the CTR/SAR filing processes?
  • If the institution uses an automated CTR software filing system, how does it assign customer identification numbers for people without a US Taxpayer Identification Number (TIN)? Are these customers given unique numbers that stay with them across the life of their relationship with the institution, or do they change annually? What if the customer has multiple accounts? Does your software assign the same number to this customer for all the accounts across the enterprise, or does each account within the bank and across business lines (brokerage, banking, etc.) get its own number? If the latter, how do you audit for this?

Know Your Customer (KYC)

Knowing one's customer is the key to having a successful AML compliance program. The Achilles' heel of any KYC program is the adequacy of the KYC data that must be uploaded into the transaction monitoring system. If the data is not clean, it cannot easily be queried, and its analytic value is reduced. Data of reduced analytic value means the institution is less “smart” both internally and as it interfaces with the government.

Effective transaction monitoring requires a comparison of the KYC data against the customer's transactions to determine whether they make business sense. This “sensibleness” analysis is the heart of an effective SAR reporting system. The compliance officer must be able to answer the key question: Does this transaction make sense in light of what we know about the customer? If it doesn't, what additional information must be obtained? Who has primary responsibility for acquiring the missing information? What amount of time will be allowed to acquire the information? What are the institution's policies relating to closing accounts for insufficient KYC information? Are there procedures in place to ensure that any decisions made with respect to the account are adequately documented?

Audit must make sure that compliance procedures are in place to answer these questions. Otherwise, the AML program cannot be audited meaningfully.

Training

The regulatory requirement of having an AML training program is clear, and Audit must measure whether the training program is robust. Is the training appropriate to the level of employee being trained? Is it occurring often enough to ensure that, despite staff changes, employees remain current in their understanding of money laundering and terrorist financing risk? Are new employees trained promptly, or even a precondition of employment? Audit must ascertain whether branch personnel are thinking about what they are doing and why, not just checking boxes on forms. Audit must document that all personnel, from top to bottom, are trained adequately for their assigned node in the network of AML compliance. Periodic testing is essential.

The World Around You

Compliance officers must understand the world in which they live and do business. AML compliance cannot be performed in a vacuum. Here is a simple test for compliance officers:

  • What countries in which your institution does business have currency control limitations? How will your customers from these countries receive/send money? This is especially important for foreign students. As to students, is their tuition paid directly? Are all 4 years of tuition sent at one time? Does unspent money get sent back home between academic years or is it retained in the US account? When the student graduates, how is the account tracked? Will you see an account opening in Kansas and then upon graduation the account migrate to another state? Will your KYC be updated to take account of the graduation?
  • Similarly, if you have a large immigrant customer base, how much money does a busboy, waiter, cook, hairdresser make? If you do not know the answer, you cannot tell if cash transactions to the Middle East, Indonesia, Pakistan, and so forth are normal activity of sending money home or might be financing a terrorist cell. In certain ethnic communities investment clubs are commonplace. Do you know how they operate? The same is true for private loans within or between families. How is the source of funds for such loans investigated? What level of diligence is due for an Enhanced Due Diligence (EDD) protocol to be effective?

If you cannot answer questions like these, regulators may wonder whether you part of the solution or the problem.



Michael Zeldin

The Federal Reserve Board and the New York Department of Banking have adopted a strict-review standard in their evaluation of the effectiveness of the Anti-Money Laundering (AML) compliance programs of financial institutions. Recent enforcement actions demonstrate that regulators pay particular attention to the effectiveness of Suspicious Activity Reporting (SAR) and Currency Transaction Reporting (CTR) as key components. In addition, an effective audit program must focus on the other essentials: Know Your Customer (KYC), Training, and Testing. How can you be sure that the institution you advise is prepared for a money laundering audit?

While the specifics on how best to accomplish this will depend on the customer base of and products sold by the institution, several constants apply to most retail operations. (Institutional customers present their own challenges and are not specifically addressed in this article.)

To understand the mindset of a bank regulator approaching an AML retail-bank audit, let's take a step back before moving into the specifics.

The Patriot Act Communications System (PACS)

The PACS system is an automated CTR/SAR Filing System used by the Financial Crimes Enforcement Network of the Treasury Department (FinCEN). It allows any institution to file CTRs and SARs electronically. FinCEN expects all institutions to migrate to this system promptly, for two reasons. First, the government, using sophisticated data mining tools, will be better able to analyze trends across a broad spectrum of financial information. Second, institutions fully geared up to avail themselves of PACS will have an in-house electronic database enabling them to spot trends and flag risky transactions in connection with their CTR/SAR filings. Smarter data from financial institutions makes the government smarter as well.

The compliance department should perform an in-house analysis of this kind with help from the IT department, and Audit should test its effectiveness.

FinCEN Studies the CTR Exemption System

FinCEN recently published a report pursuant to ' 326 of the Patriot Act on the CTR exemption process. The report reflects FinCEN's growing frustration with the overwhelming numbers of CTRs that are of little law enforcement value. From the perspective of the regulators, if financial institutions are not actively engaged in the process of examining their Phase II exemption practices to insure that all entities that can properly be exempted from the CTR filing requirements have been weaned out of the system, they are failing to meet their responsibilities under the Bank Secrecy Act. The less non-probative information the government receives from financial institutions, the smarter it can be in tracking money laundering and terrorist financing. Audit has a key role to play in insuring that the CTR filing system is not just junk in/junk out. With this background, we can now address the key components of an audit program.

Follow the Money

The key to auditing the effectiveness of an AML compliance program is to “follow the money” throughout the financial institution. That is, all entry and exit points into and out of the financial institution must be identified and examined so that internal controls can be established. Likewise, following the money allows audit to ascertain whether the AML procedures are being followed in accordance with AML policy directives. For example, with respect to currency transactions, questions that must be answered include:

  • Does the institution properly aggregate all cash-in/cash-out transactions for customers and non-customers in relation to sales of monetary instruments; sales of funds transfers; and sales of foreign currency?
  • Is the institution aggregating all transactions with respect to ATM deposits and withdrawals, both domestically and internationally?
  • If the institution engages in transactions with non-customers, can you be assured that you are tracking point-of-sale transactions for the cashing of travelers checks, sales of monetary instruments and wire transfers?
  • If the institution engages in foreign currency exchanges, are they being accounted for in the CTR/SAR filing processes?
  • If the institution uses an automated CTR software filing system, how does it assign customer identification numbers for people without a US Taxpayer Identification Number (TIN)? Are these customers given unique numbers that stay with them across the life of their relationship with the institution, or do they change annually? What if the customer has multiple accounts? Does your software assign the same number to this customer for all the accounts across the enterprise, or does each account within the bank and across business lines (brokerage, banking, etc.) get its own number? If the latter, how do you audit for this?

Know Your Customer (KYC)

Knowing one's customer is the key to having a successful AML compliance program. The Achilles' heel of any KYC program is the adequacy of the KYC data that must be uploaded into the transaction monitoring system. If the data is not clean, it cannot easily be queried, and its analytic value is reduced. Data of reduced analytic value means the institution is less “smart” both internally and as it interfaces with the government.

Effective transaction monitoring requires a comparison of the KYC data against the customer's transactions to determine whether they make business sense. This “sensibleness” analysis is the heart of an effective SAR reporting system. The compliance officer must be able to answer the key question: Does this transaction make sense in light of what we know about the customer? If it doesn't, what additional information must be obtained? Who has primary responsibility for acquiring the missing information? What amount of time will be allowed to acquire the information? What are the institution's policies relating to closing accounts for insufficient KYC information? Are there procedures in place to ensure that any decisions made with respect to the account are adequately documented?

Audit must make sure that compliance procedures are in place to answer these questions. Otherwise, the AML program cannot be audited meaningfully.

Training

The regulatory requirement of having an AML training program is clear, and Audit must measure whether the training program is robust. Is the training appropriate to the level of employee being trained? Is it occurring often enough to ensure that, despite staff changes, employees remain current in their understanding of money laundering and terrorist financing risk? Are new employees trained promptly, or even a precondition of employment? Audit must ascertain whether branch personnel are thinking about what they are doing and why, not just checking boxes on forms. Audit must document that all personnel, from top to bottom, are trained adequately for their assigned node in the network of AML compliance. Periodic testing is essential.

The World Around You

Compliance officers must understand the world in which they live and do business. AML compliance cannot be performed in a vacuum. Here is a simple test for compliance officers:

  • What countries in which your institution does business have currency control limitations? How will your customers from these countries receive/send money? This is especially important for foreign students. As to students, is their tuition paid directly? Are all 4 years of tuition sent at one time? Does unspent money get sent back home between academic years or is it retained in the US account? When the student graduates, how is the account tracked? Will you see an account opening in Kansas and then upon graduation the account migrate to another state? Will your KYC be updated to take account of the graduation?
  • Similarly, if you have a large immigrant customer base, how much money does a busboy, waiter, cook, hairdresser make? If you do not know the answer, you cannot tell if cash transactions to the Middle East, Indonesia, Pakistan, and so forth are normal activity of sending money home or might be financing a terrorist cell. In certain ethnic communities investment clubs are commonplace. Do you know how they operate? The same is true for private loans within or between families. How is the source of funds for such loans investigated? What level of diligence is due for an Enhanced Due Diligence (EDD) protocol to be effective?

If you cannot answer questions like these, regulators may wonder whether you part of the solution or the problem.



Michael Zeldin Deloitte and Touche

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.