News

Intended to ensure strong Bank Secrecy Act programs, compliance audits can nonetheless have an unintended consequence: they can get banks in trouble, say consultants.

In congressional reports, regulatory actions and court documents made public since July, federal and state officials have cited poor internal and external audit controls at HSBC Holdings Plc, Standard Chartered Bank and Banamex USA-some of the most high-profile anti-money laundering (AML) investigations disclosed this year.

For many Bank Secrecy Act (BSA) staffers, audits can be arduous and stressful projects. At times, there can be an “institutional rivalry, even a hostility that exists,” between AML officers and the colleagues who evaluate their work, according to Ross Delston, an independent compliance consultant based in Washington, D.C.

“A lot of AML compliance people view them as the enemy because the auditors have a great deal of power and they know they don’t have to get along with the compliance people because audit has separate and independent reporting lines,” said Delston.

But being upfront with auditors and disclosing any potential problems can help shield an institution from regulatory actions, said Delston. What’s more, if auditors agree that certain issues need to be addressed, they might be allies for BSA officers trying to expand the department’s staff, upgrade software or garner needed funding, he said.

That same spirit of transparency and cooperation should be evident in documentation, according to Delston. In recent years, bank examiners have more closely reviewed not only how auditors have reached their conclusions but whether senior executives have asked that the reports be excised of damaging information, he said.

In August, New York State officials accused Deloitte & Touche LLP of intentionally omitting “critical information” in an audit of Standard Chartered Bank at the request of the financial institution. New York officials cited an e-mail from a Deloitte partner allegedly characterizing a draft report as “watered-down” to avoid political problems for the bank.

Standard Chartered paid the state $340 million that month to settle related allegations. Deloitte denied the characterization of its role in a statement.

Questions have also arisen about the independence of internal auditors, particularly at non-U.S. banks, according to Thomas Flattery, a former Federal Reserve examiner who advises banks. At times, supposedly independent audits have been “heavily revised” at the behest of bank executives, he said.

“That was a major problem in HSBC because the audit was changed,” he said. “In some banks, the top executives are used to everyone jumping to attention when they speak, including the AML staff.”

To avoid arousing regulatory suspicion, there should be “no separate work papers” that aren’t available to examiners, said Delston.

High demand

Regulatory demands have also increasingly prodded banks to hire in-house auditors rather than rely on third-parties, said an anti-money laundering (AML) compliance officer in a large U.S. bank based in New York. The institution has an AML-focused audit team to conduct global reviews of jurisdictions, products and compliance controls, the person said.

“There is a lot of demand out there for experienced AML auditors,” said the compliance officer, who asked not to be named. “More banks are going that way, looking for dedicated AML auditors because regulators are expecting it.”

The right team of auditors should be quick and creative, and they should make use of the findings of other ongoing audits, according to an AML auditor who works for a New York-based bank. In general, auditors shouldn’t have only a narrow specialization that hinders them from writing useful reports, said the person, who declined to be named.

One means to strong compliance is to have auditors and AML officers train together whenever possible, not only on recent money laundering trends but on changing regulatory expectations, said the auditor.

To expedite evaluations, some AML departments have been testing their own controls to facilitate the work of internal or third-party auditors, said the person.

“The AML testing is apart from audit and is owned by and under the authority of AML,” said the auditor. “Now technically, those tests are not independent, but they can inform audit and give a good opinion about how certain program elements or business lines are working. AML staff can also request that business line leaders test themselves in self-assessments to spot problems.”

Honing your audit

For many large financial institutions, it is simply impossible to effectively audit an entire BSA compliance program every 18 months, as recommended by the interagency exam manual.

Instead, the institutions should focus on auditing important aspects of their programs-such as foreign and domestic politically-exposed persons, foreign affiliates and correspondent banking relationships-and then testing other aspects-such as the depth and timeliness of customer risk assessments and the accuracy of client data-during the next 18-month cycle, according to the auditor.

“If we try to test everything, then we don’t test anything well,” said the person. “Structuring the audit based on the business lines and products that are higher risk allows us to do a deeper dive.”

But when staggering audits, banks must be sure to draft a specific plan making clear when other aspects of an AML program will be reviewed and why certain products or geographies were reviewed first, said Vasilios Chrisos, who oversees the management of the Macquarie Group’s AML and sanctions programs, in North and South America, during an ACAMS Web seminar earlier this month.

After the 2001 terrorist attacks, for example, Chrisos’ bank chose to audit foreign affiliates and private correspondent banking to see if the evaluations would turn up any evidence of terrorist financing, he said, adding that auditors should be sure not to wait an entire year before checking whether recommendations have been adopted.

“The independent auditor should say we are not covering countries X, Y and Z and business lines A, B and C, this year, but we will be covering it next year,” Delston said.

When working with an external auditor, banks should also be careful not to limit their staggered reviews, according to Arnie Scher, chief executive of New York-based Jade Information Systems, a consulting firm.

“Banks are concerned about costs, so some dark corners don’t get looked at,” said Scher, a former compliance manager with JPMorgan Chase. “What they present to you is very controlled and when you ask for certain documents and transactions they say no because it’s out of the scope of the review.”

Checking alerts

In gauging whether transactional alerts are functioning properly, auditors and the compliance staff they work with should focus less on whether alerts are cleared in a timely fashion and more on whether the right transactions are getting flagged, said the auditor.

For example, a relatively low number of alerts generated for a business line could be the result of unduly high-dollar thresholds, said the person. But a relatively high number of alerts that translate into few suspicious transaction reports (SARs) can also signal a problem with a bank’s software settings.

“If there are too few SARs, it’s not worth the time the bank is spending and it should consider adjusting the thresholds and parameters,” said the auditor.

Since transactional alerts can have a false positive rate as high as 90 percent, auditors and compliance staff should first evaluate the alerts related to high-risk clients and business lines, said Delston. Alerts related to politically exposed persons, for example, should be considered a higher priority in audits than alerts than can be analyzed within minutes, he said.

Banks may also choose to team up auditors who may best be able to investigate complex alerts, allowing others to evaluate how software handles low-priority alerts, he said.

Getting help

When working with third-parties, banks will want to be sure to set clear but flexible parameters for audits, according to a federal regulatory examiner, who spoke on the condition of anonymity.

For instance, banks should give auditors a rough estimate of how many hours should be spent on each aspect of an audit while allowing some additional time for follow-up questions and testing that may be necessary, said the examiner. A clear deadline for a final report should also be established, said the person.

That doesn’t mean that banks should always stick to their original plans. On the one hand, third-party auditors shouldn’t be allowed to spend too much time evaluating low-risk products or geographies, but on the other, banks shouldn’t necessarily deny data requests outside the scope of the audit, the person said.

Regulators generally expect the “bank to be very expansive with the scope, but also very specific as to what areas it wants the independent auditors to focus on,” said the person.