In one critical anti-money laundering (AML) review of a mid-tier bank, examiners admitted to having a hard time understanding how the transaction monitoring system worked.
Virtually none of the information necessary for their review - the types of accounts and transactions to be analyzed, the project minutes, the identified gaps in coverage - was readily available. The documentation of decisions sat as an aging paper trail on the shelves of the Project Management Office (PMO).
And, notably, disastrous decisions had been made. The transaction monitoring system was fed transactional data from the deposit system, and could be no more effective than the data that had been shipped to it. It was possible to set up the system so that whole classes of account types - for example employees - were completely excluded from monitoring.
Some individual accounts had actually been assigned their own unique account type, which made it easy to overlook specific high income or embassy accounts. Critical decisions had been made in the course of implementation that were not fully understood by those performing internal and external oversight, and in fact, some customers were flying beneath the radar.
Further confusing the picture, the monitoring system, which was considered the cornerstone of the bank's compliance program, was not effectively linked to the risk management plan.
Any outsider looking in would be hard-pressed to understand how Bank Secrecy Act and "know your customer" (KYC) policies and procedures related to the automated transaction monitoring system because no attempt had been made to update the manuals to reflect the realities of the new system.
What this bank lacked was a comprehensive picture of how it was complying with AML regulations. What they needed was an "architectural" rendering of all the components of the compliance program - down to the data elements - that would easily and effectively link the examiner to the realities of the effort.
In many organizations today, the PMO library has been replaced by an enterprise content management (ECM) system. In ECM systems, knowledge is managed through the sharing of institutional data using Web-enabled technology.
Intranets - the secure, private websites of companies - can be used by employees and examiners to access corporate information; for example, the risk management plan could be accessed as an electronic document with embedded links to the details.
A well-constructed risk management plan, one created with the goal of organizational and system transparency, defines not only what steps have been taken to comply with regulations, but also the how and the who at a very detailed level, ensuring clarity and accountability.
Electronic documents contain embedded links to other sites or other documents and are extremely useful for quickly understanding the whole compliance picture. (See figure 1)
When you click on the link to IT (information technology), you will be presented with a narrative describing IT's role in BSA compliance, and a diagram of the systems that are part of the monitoring effort.
The narrative will explain how the transaction monitoring system works, and with additional clicks, you will be presented with another document that will have embedded links to the nuts and bolts of how the system was implemented.
Choices might include account types monitored and account types not monitored. Clicking on these will give the examiner a complete list of account types that the bank chose to monitor and those the bank decided needed no monitoring. These Intranet documents serve as an audit tool and allow examiners to drill down to organizational functions, people and automated systems, even to the data elements, leading the way to creation of testing scenarios. Implementation of an anti-money laundering program is a careful, thoughtful process of defining the elements - systems, data, processes and people - that are the building blocks of compliance.
An architectural approach, one that stands up to the demands of external auditors, will result in clearly defined compliance goals and easy-to-audit systems. Because so much of compliance relies on automated systems, it is critical for risk managers and examiners to know how the systems were configured. PMO or ECM documents hold the key to compliance. They define what accounts and transactions are being monitored, who made the decisions, and how the process works.
Marie G. Kerr specializes in Financial Fraud. She is a Certified Financial Crime Specialist, Certified Anti-Money Laundering Specialist (CAMS), and Project Management Professional (PMP). Ms. Kerr is a financial industry veteran with a deep understanding of how financial institutions work. She has served as a Homeland Security Program Advisor and Fraud Detection Subject Matter Expert (SME) and an IT and AML Advisor for a three-bank merger.
©Copyright - All Rights Reserved
DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.