Definition Legal controls designed to prevent or report money

laundering.
Bank Secrecy Act of 1970 Establishment of AML framework.
USA PATRIOT Act of 2001 Amended, strengthened Bank Secrecy Act of 1970.

Requires global financial institutions to monitor, investigate,

and report suspicious transactions to the financial intelligence
units of central bank

USA PATRIOT Act imposed obligations include:

AML compliance programs;
Customer identification programs;
Monitoring, detecting, and filing reports of suspicious activity;
due diligence on foreign correspondent accounts;
due diligence on private banking accounts;

mandatory information-sharing in response to requests by federal law

enforcement and compliance with special measures imposed by the Secretary
of the Treasury to address particular AML concerns.

AML Compliance Program Requirements:

Must be in writing;
Include policies, procedures, and internal controls:
Reasonably designed to achieve compliance with the Bank Secrecy
Act and its implementing rules;
Reasonably expected to detect and cause the reporting of
transactions under 31 U.S.C. 5318(g) and the implementing
regulations thereunder;
Designate an AML compliance officer and notify SROs
Incorporate ongoing AML employee training;
Independently test of the firms AML program, annually for most firms

What is an independent AML audit?

How does it fit into a firms AML
compliance program?
Requirements of an effective
independent audit program
Case Study: American Express
5

An independent AML audit is an assessment of the

effectiveness and integrity of an institutions AML
program and should parallel the examinations
performed by regulators.
Independent audit is required by law for most
financial institutions as part of their AML program.
Even where not required by law, an independent
audit can be an effective component of AML
compliance.

Banks, savings associations, credit unions

Broker/Dealers
Mutual funds
Insurance companies
Money services businesses
SEC-registered investment advisers who voluntarily subject
themselves to AML program requirements

 Written

policies and procedures

(a.k.a. internal controls)

Designating
Training

an AML compliance officer

of employees and board of directors

Independent

audit

Independent audits should be

Comprehensive

Accurate

Adequate

Timely
[FFIEC Exam Manual, p. 36, para. 7]

If the independent audit has been performed in a manner that

meets regulatory expectations, it is likely to be used as a
blueprint for regulatory examiners during their on-site
examination.
As we will see from the American Express case, if not done well,
it can become a major problem for a financial institution.
The independent audit has many audiences, including
compliance staff, senior officers, the Board of Directors, and the
regulators.
10

The Manual was drafted by the Federal Financial Institutions

Examination Council or FFIEC which consists of the five Federal
banking regulators the Federal Reserve Board, FDIC, NCUA,
OCC, and OTS plus the State Liaison Committee (comprised
of five representatives of state financial regulators). The FFIEC
collaborated with FinCEN in drafting the Manual, and OFAC on
sanctions.
http://www.ffiec.gov/pdf/bsa_aml_examination_manual2007.pdf

11

 Although

drafted for banks and other depositary

institutions, it is recommended by the SEC and FINRA
The new Financial Industry Regulatory Authority, the
successor to the NASD and certain broker-dealer
related functions of NYSE Regulation) for securities
firms
Also used by non-bank financial institutions, such as
insurance companies and money services businesses.
12

12
13
17
24
30-31
36-37
39
78
142-144
153
H-1/H-2

Risk Profile
Transaction Testing
Independent Testing As A Guide For Examiners
Risk Assessment
Independent Testing, General Requirements
Checklist for Examiners
Sampling of Transactions
Review of MIS in Transaction Testing
OFAC Program
Treatment of Subsidiaries ( See First Full Paragraph )
Availability of Documentation
13

 This

may depend on the size of the firm.

It

may be done by the internal audit department,

accounting firms, consultants, law firms or other
qualified parties.

Whoever

does it must be qualified to do so and

independent of the AML compliance group within your
company or firm.
14

The qualifications of the auditor must be demonstrable even if

an internal audit department employee or other employee is
doing the audit of your company. Hence, due diligence is
necessary before designating the internal auditor or hiring an
external consultant.
If done internally, the auditor must be independent of the AML
compliance function
i.e. not part of AML compliance team and not in the same
reporting line.
15

The FFIEC Exam Manual states: The findings should be reported

directly to the Board of Directors or an audit committee composed
primarily or completely of outside directors.
[Fn 17, Page 12; See Also Page 32, First Full Paragraph]

16

 FINRA Rules

state that the testing cannot be

conducted by the AML compliance person(s)
designated in Rule 3011, by any person who performs
the AML functions being tested or by any person who
reports to any of these persons. NASD NTM 06-07
( February 2006 )

However,

there is an exception for small firms.

17

The FFIEC Exam Manual states: While the frequency of audit

is not specifically defined in any statute, a sound practice is for
the bank to conduct independent testing generally every 12 to
18 months, commensurate with the BSA/AML risk profile of the
bank.
The higher the risk profile of the institution, the greater the
frequency of the audit.
More frequent audits should also be considered after
acquisitions of financial services firms and other firms covered
by AML program rules.

18

FINRA Rules state that for most firms, the independent test
should be performed at least once each calendar year [however]
firms that do not execute transactions for customers or otherwise
hold customer accounts or act as an introducing broker with
respect to customer accounts [may] test once every two years
(on a calendar-year basis) rather than on an annual basis.
[NASD NTM 06-07 (February 2006)]

19

In general, the independent audit should parallel the regulatory

examination.
A starting point would be to review the prior years independent
audits, as well as examination reports.
Determine whether the recommendations contained in each of
those reports were followed-up or implemented by the firm.

20

 Was

the prior years independent audit done by an

independent and qualified auditor?
The examiners will ask this question first.

Note

that the auditors report and work papers may be

reviewed by the examiners.
[Source for these and following bullets: FFIEC Exam Manual, pp. 36 - 37]

21

 The

overall effectiveness of the AML compliance

program, including policies, procedures, and processes:
does it work?

What

about the AML risk assessment on which the

program is based is it written (not required, but
essential, otherwise the examiners may write it for you!)
is it comprehensive, does it adequately identify known
and foreseeable risks?
22

 Are

reporting and recordkeeping requirements

adequate?

What

about customer identification program (CIP)

requirements? Note that CIP may not be required of all
financial institutions, such as insurance companies.

23

Are CDD customer due diligence policies, procedures and

processes adequate; are the actual practices in accord with
internal requirements?
Do the personnel of the firm adhere to the firms AML policies,
procedures and processes?
Is training adequate is it comprehensive, are materials
accurate, is there a training schedule, is attendance tracked?

24

 Transaction

testing, with particular emphasis on high

risk operations, such as products, services, customers,
delivery channels, and geographic locations.

Transaction

testing should include looking at the entire

course of selected transactions, from inception to
conclusion.
25

The integrity and accuracy of management information systems

(MIS) used in the AML program, such as reports used to identify:
Large currency transactions
Aggregate daily currency transactions
Funds transfer transactions
Monetary instrument sales.

26

Suspicious activity monitoring systems to evaluate whether

they adequately identify unusual activity.
In particular, review policies, procedures, processes, and
the methodology for establishing and applying expected
activity or filtering criteria.

27

Suspicious activity monitoring systems:

The systems ability to generate monitoring
reports, and determine whether the filtering
criteria are reasonable.
Suspicious Activities Report (SARs)

28

SARs are required for actual or attempted transactions

aggregating $5,000 or more where money laundering
or other illegal activity is suspected.

Is the filtering criterion for SARs set at $5,000 or a

lower amount, such as $1,000?

Suspicious activity reporting systems:

Evaluate the research and referral of unusual activity.
Review policies, procedures and processes for referring
unusual activity from all parts of the business, such as
legal, private banking, and foreign correspondent
banking, to the person or department responsible for
evaluating it.
30

Finally, review the effectiveness of firms policy for reviewing

accounts that generate multiple SAR suspicious activity
report filings.

This is by no means an exhaustive list; the FFIEC Exam

Manual should be consulted for that purpose.
In general, the audit should be an expansive and
expandable document.
31

 What

happened?

Why?
Are

there lessons to be learned?

32

Background: On August 6, 2007, the US government announced

the settlement of a series of civil and criminal actions against
American Express Bank International, a bank regulated by the
Federal Reserve Board, and American Express Travel Related
Services, a money services business.
The Department of Justice, the Financial Crimes Enforcement
Network (FinCEN) and the Fed all were involved in the case.

33

This case resulted in $65 million in forfeitures and civil money

penalties against the two companies.
A Justice Department deferred prosecution agreement, along
with $55 million in forfeitures relating to illicit funds transfers and
other activities.

Civil money penalties imposed by FinCEN.

Civil money penalties imposed by the Fed.

34

One of the issues singled out by FinCEN relates to

independent audit by American Express Bank International.
According to FinCEN, the independent audit was ineffective.
Internal Audit Staff lacked sufficient training and knowledge to
facilitate compliance with the BSA.
Audit scopes were not always tailored or designed to capture
and test for compliance with certain requirements of the BSA.

35

Internal Audit staff also failed to conduct sufficient customer transaction

testing to adequately evaluate the overall sufficiency of the anti-money
laundering program at the Bank.
Furthermore, Internal Audit failed to assist management with tracking and
following-up on previously identified regulatory examination deficiencies.
Internal Audit failed to conduct adequate testing of the suspicious activity
monitoring system or identify the numerous data integrity concerns
associated with this system for an extended period of time. The
ineffectiveness of the Internal Audit function at [the Bank] contributed to
the failure to identify significant deficiencies in this system before 2007.
36

The Fed also targeted the independent audit function.

In particular, [the Banks] internal audit function failed to review the

implementation of [its] new automated transaction monitoring
system.
Remedial actions required by the Fed included a new independent
audit, along with the adoption of a series of procedures laying out the
frequency, scope and coverage of the audit program; providing for
review of the audit by the Banks board of directors; and ensuring
that follow-up action is taken in response to the audits
recommendations.
37

Take the audit seriously, particularly when the risk profile of the firm
shows that high risks are present. In the Amex case, the high risk
activities consisted of private banking services to high net worth
Latin Americans.
Dont get overly focused on our neighbors south of the border
note that the US State Department International Narcotics Control
Strategy Report states that the US is a high risk country as well!
See Page 44 of Volume II of the 2007 Report, which states that the
US is a major money laundering country and in the riskiest of three
categories. Other countries in this category include Afghanistan,
Mexico, Nigeria, Russia, and Ukraine.
38

If you use your internal audit department to conduct the

independent audit, make sure that your auditors are well trained
in AML. Regulatory examiners will know the difference.
Dont try to save money by skimping on the independent audit
it could cost you big bucks later!

39