THE ANTI-MONEY LAUNDERING ASSOCIATION AML SYSTEMS -- DATA VALIDATION OCTOBER 20, 2011 Kristen J. Stogniew, Shareholder Saltmarsh, Cleaveland & Gund
Dec 18, 2015
THE ANTI-MONEY LAUNDERING ASSOCIATIONAML SYSTEMS -- DATA VALIDATION
OCTOBER 20, 2011
Kristen J. Stogniew, ShareholderSaltmarsh, Cleaveland & Gund
I am --- 16 years BSA &
Regulatory Compliance consulting, including audit, monitoring, training
Attorney - Florida Bar Member since 1995
Accredited ACH Professional
A deep thinker…
I am not --- IT person Regulator Vendor
representative
2
Agenda
Purpose of AML system Examiner expectations Improve your chances of passing data validation testing
Methodology for testingDetermine what is brought inDetermine how it is being used
Test Input/Output
3
Regulatory Expectations on AML/MIS systems, since
2005….FFIEC Exam Manual: Independent Testing The Independent Test should address…the integrity and
accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to:
identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.
The programming of the Bank’s monitoring systems should be independently reviewed for reasonable filtering criteria. Determine whether the system filtering criteria are reasonable
and include, at a minimum, cash, monetary instruments, funds transfers, and other higher risk products, services, customers, or geographies,
as appropriate.
5
Implementation Phase
Vital to success
Takes extensive time
Basis for data validation down the road
Map out where data is coming in….“data feed”
6
Implementation Phase, cont’d
What Transaction codes are being used? (are they being used correctly & consistently?). Example: General debit or credit, or Incoming domestic wire; Outgoing domestic wire; Incoming foreign
wire; Outgoing foreign wire Monetary Instrument sales – can implement unique
code ATM systems cannot always tell if cash or check
deposit; can implement mitigating process…
9
Select your customer sample for CIP/CDD
Select your transaction sample Pull report that meets your
sample criteria and check off against both lists; and
Pull customer report(s) and verify transaction appears, with all ancillary data.
Document, Document, Document
Readiness Phase
Test, Test, Test New account reports and
any forms Branch cash tickets/teller
boards/night deposit logs Wire transfers excel logs,
or correspondent bank reports
Branch monetary instrument sales logs
10
During recent Independent Test…
“For the days in our sample, the AML system failed to capture the following types of transactions: Miscellaneous cash out; On us non-customer cashed check; Money market withdrawal; Savings withdrawal; and Checking deposit cash in…The institution requested the vendor
review the configuration to determine why…For the transactions, the cash component was missing in the configuration…”
11
Deeper thoughts on implementation…
Run parallel for a while…3-6 months
Join your system’s user group
12
Regulatory Expectations, since 2005 FFIEC Exam Manual, Suspicious
Activity Reporting - Overview “Management should periodically
evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process. Each bank should evaluate and identify filtering criteria most appropriate for their institution.”
14
Regulatory Guidance – institution awareness
Management should document or be able to explain filtering criteria, thresholds used, and how both are appropriate for the institution’s risks.
Recent test comments: “The BSA Officer was not aware of the AML system’s parameters that triggered the alert reports, and was not able to identify the triggers after researching the system during our review.”
18
Regulatory Guidance - setup System filtering criteria should be
developed through a review of specific higher-risk products and services, customers and entities, and geographies. What customers, products and
services are included within the surveillance monitoring system?
Recent test comments: “Accounts rated as Charity, Jewel Dealer, and Non-traditional financial entities are not being assigned added points at account opening.”“DBAs are not being industry-coded.”
19
Regulatory Guidance - baseline System filtering criteria, including specific
profiles and rules, should be based on what is reasonable and expected for each type of account.
Monitoring accounts purely based on historical activity can be misleading if the activity is not actually consistent with similar types of accounts. What is the system’s methodology for establishing
and applying expected activity or profile filtering criteria and for generating monitoring reports?
Recent test comment: “Customer Due Diligence data obtained at account opening is not being input to the AML system.”
20
Testing Transaction and Rules
Sample screen shot where you can trace your sampled transaction into the system. Small box shows the transaction types (data feeds).
21
Vendor supplied
Surveillance Parameters
Inst
itutio
n
create
d
Constant Evaluation -
Change Control
Processes
22
Deeper thoughts on change control… The volume of system alerts should
not be tailored solely to meet existing staff levels.
System changes should be performed independently, and documented with: purpose for the change, evaluation afterwards, and process to “un-do” if need be
BSA Officer should be involved/aware of all system updates. What is the impact on our filters/parameters? Re-do testing where applicable!
23
Regulatory guidance on change control…
The authority to establish or change expected activity profiles should be clearly defined and should generally require the approval of the BSA Officer or senior management Do controls limit access to the monitoring
system and are there sufficient oversight of assumption changes? Recent test comment:
“The BSA Officer can make changes to the parameters without IT or other independent review, and system maintenance reports do not provide a useful audit trail for parameter changes.”
24
Who uses AML system for Risk Rating? Actual “high risk list” or something else? Data validation can compare to Board and
other reports of “high risk” customers … Take transaction tests (performed earlier)
and verify that “points” were properly assessed (or, transaction was appropriately identified by the filter).
Sample customers identified as high risk and validate appropriate.
25
Who uses AML system for recordkeeping?
Test recordkeeping and reporting for: Funds Transfers $3,000 or more Cash sales of Monetary Instruments $3,000 or
more Customer Identification (CIP) Customer Due Diligence – Establish the risk
level at account opening CTRs SARs
Recent exam comment: “None of the CTRs thought to have been created and filed during this period were actually sent to FinCEN, as the system’s entire filing process was not ‘completed’.”
26
Who uses system for OFAC/314(a)? Office of Foreign Asset Control
Test -- Date of list update(s) Test -- Transactions searched Test – name on list
USA PATRIOT Act 314(a) Test -- records maintained Test -- kept secure
SAMPLE: Audit reports are available under Alerts – Watch List - Reports.Quick Search Log – provides a log of front line or teller searches against installed listsWatch List Analysis Audit Log – provides an audit trail of scans and list updates314(a) Audit Log – provides a log of 314(a) files and any matchesIAT Audit Log – provides a log of IAT import and any matches
The “Installed List” panel on the dashboard also gives a snapshot of the lists the institution is using as well as when they were last updated.
27
Final deep thoughts…..
Each System is different Read SAS 70 – SSAE 16 reports Create test environment Built in data validations & audit reports
Missing data reports Daily # of new accounts brought in Daily $ of transactions
28