THE ANTI-MONEY LAUNDERING ASSOCIATION AML SYSTEMS -- DATA VALIDATION OCTOBER 20, 2011 Kristen J. Stogniew, Shareholder Saltmarsh, Cleaveland & Gund.

THE ANTI-MONEY LAUNDERING ASSOCIATIONAML SYSTEMS -- DATA VALIDATION

OCTOBER 20, 2011

Kristen J. Stogniew, ShareholderSaltmarsh, Cleaveland & Gund

I am --- 16 years BSA &

Regulatory Compliance consulting, including audit, monitoring, training

Attorney - Florida Bar Member since 1995

Accredited ACH Professional

A deep thinker…

I am not --- IT person Regulator Vendor

representative

2

Agenda

Purpose of AML system Examiner expectations Improve your chances of passing data validation testing

Methodology for testingDetermine what is brought inDetermine how it is being used

Test Input/Output

3

Why implement an AML system

?

4

Regulatory Expectations on AML/MIS systems, since

2005….FFIEC Exam Manual: Independent Testing The Independent Test should address…the integrity and

accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to:

identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.

The programming of the Bank’s monitoring systems should be independently reviewed for reasonable filtering criteria. Determine whether the system filtering criteria are reasonable

and include, at a minimum, cash, monetary instruments, funds transfers, and other higher risk products, services, customers, or geographies,

as appropriate.

5

Implementation Phase

Vital to success

Takes extensive time

Basis for data validation down the road

Map out where data is coming in….“data feed”

6

Data feeds….

XYZ AML

System

7

Types of Currency Transactions…

8

Implementation Phase, cont’d

What Transaction codes are being used? (are they being used correctly & consistently?). Example: General debit or credit, or Incoming domestic wire; Outgoing domestic wire; Incoming foreign

wire; Outgoing foreign wire Monetary Instrument sales – can implement unique

code ATM systems cannot always tell if cash or check

deposit; can implement mitigating process…

9

Select your customer sample for CIP/CDD

Select your transaction sample Pull report that meets your

sample criteria and check off against both lists; and

Pull customer report(s) and verify transaction appears, with all ancillary data.

Document, Document, Document

Readiness Phase

Test, Test, Test New account reports and

any forms Branch cash tickets/teller

boards/night deposit logs Wire transfers excel logs,

or correspondent bank reports

Branch monetary instrument sales logs

10

During recent Independent Test…

“For the days in our sample, the AML system failed to capture the following types of transactions: Miscellaneous cash out; On us non-customer cashed check; Money market withdrawal; Savings withdrawal; and Checking deposit cash in…The institution requested the vendor

review the configuration to determine why…For the transactions, the cash component was missing in the configuration…”

11

Deeper thoughts on implementation…

Run parallel for a while…3-6 months

Join your system’s user group

12

Why Automated Solution for Monitoring

?

13

Regulatory Expectations, since 2005 FFIEC Exam Manual, Suspicious

Activity Reporting - Overview “Management should periodically

evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process. Each bank should evaluate and identify filtering criteria most appropriate for their institution.”

14

Surveillance Monitoring Parameters

15

Surveillance Monitoring Parameters

16

Surveillance Monitoring Parameters

17

Regulatory Guidance – institution awareness

Management should document or be able to explain filtering criteria, thresholds used, and how both are appropriate for the institution’s risks.

Recent test comments: “The BSA Officer was not aware of the AML system’s parameters that triggered the alert reports, and was not able to identify the triggers after researching the system during our review.”

18

Regulatory Guidance - setup System filtering criteria should be

developed through a review of specific higher-risk products and services, customers and entities, and geographies. What customers, products and

services are included within the surveillance monitoring system?

Recent test comments: “Accounts rated as Charity, Jewel Dealer, and Non-traditional financial entities are not being assigned added points at account opening.”“DBAs are not being industry-coded.”

19

Regulatory Guidance - baseline System filtering criteria, including specific

profiles and rules, should be based on what is reasonable and expected for each type of account.

Monitoring accounts purely based on historical activity can be misleading if the activity is not actually consistent with similar types of accounts. What is the system’s methodology for establishing

and applying expected activity or profile filtering criteria and for generating monitoring reports?

Recent test comment: “Customer Due Diligence data obtained at account opening is not being input to the AML system.”

20

Testing Transaction and Rules

Sample screen shot where you can trace your sampled transaction into the system. Small box shows the transaction types (data feeds).

21

Vendor supplied

Surveillance Parameters

Inst

itutio

n

create

d

Constant Evaluation -

Change Control

Processes

22

Deeper thoughts on change control… The volume of system alerts should

not be tailored solely to meet existing staff levels.

System changes should be performed independently, and documented with: purpose for the change, evaluation afterwards, and process to “un-do” if need be

BSA Officer should be involved/aware of all system updates. What is the impact on our filters/parameters? Re-do testing where applicable!

23

Regulatory guidance on change control…

The authority to establish or change expected activity profiles should be clearly defined and should generally require the approval of the BSA Officer or senior management Do controls limit access to the monitoring

system and are there sufficient oversight of assumption changes? Recent test comment:

“The BSA Officer can make changes to the parameters without IT or other independent review, and system maintenance reports do not provide a useful audit trail for parameter changes.”

24

Who uses AML system for Risk Rating? Actual “high risk list” or something else? Data validation can compare to Board and

other reports of “high risk” customers … Take transaction tests (performed earlier)

and verify that “points” were properly assessed (or, transaction was appropriately identified by the filter).

Sample customers identified as high risk and validate appropriate.

25

Who uses AML system for recordkeeping?

Test recordkeeping and reporting for: Funds Transfers $3,000 or more Cash sales of Monetary Instruments $3,000 or

more Customer Identification (CIP) Customer Due Diligence – Establish the risk

level at account opening CTRs SARs

Recent exam comment: “None of the CTRs thought to have been created and filed during this period were actually sent to FinCEN, as the system’s entire filing process was not ‘completed’.”

26

Who uses system for OFAC/314(a)? Office of Foreign Asset Control

Test -- Date of list update(s) Test -- Transactions searched Test – name on list

USA PATRIOT Act 314(a) Test -- records maintained Test -- kept secure

SAMPLE: Audit reports are available under Alerts – Watch List - Reports.Quick Search Log – provides a log of front line or teller searches against installed listsWatch List Analysis Audit Log – provides an audit trail of scans and list updates314(a) Audit Log – provides a log of 314(a) files and any matchesIAT Audit Log – provides a log of IAT import and any matches

The “Installed List” panel on the dashboard also gives a snapshot of the lists the institution is using as well as when they were last updated.

27

Final deep thoughts…..

Each System is different Read SAS 70 – SSAE 16 reports Create test environment Built in data validations & audit reports

Missing data reports Daily # of new accounts brought in Daily $ of transactions

28

Questions / Discussion

?

29