News

When she helped redesign Bank of America’s Bank Secrecy Act program, Gina Gioia didn’t worry about who would be responsible for auditing it. The bank already had an internal audit team insulated from anti-money laundering duties, but well-versed in AML procedures.

But keeping internal AML audits independent at a smaller bank she has worked for eight months as a BSA officer for Panther Community Bank in Southwest Florida is more challenging.

“Going from a larger bank to a smaller bank, you have to wear so many different hats,” Gioia said. Her solution has been to hire an outside auditor and have their work reviewed by the bank’s chief executive officer and the audit committee of the board of directors.

Gioia isn’t alone. Many compliance officers at smaller financial institutions agree that meeting the independent testing requirements of an AML program can be difficult. When banks and MSBs fail and examiners find problems, the results are regulatory sanctions.

In 2007, 51 of the 122 AML enforcement actions issued cited banks for inadequate or non-existent audit procedures, according to Fortent Inform data.

But current and former regulators say there are ways to keep the entire audit or portions of it in-house, a cost savings, if institutions are creative. Cross-training staff in non-AML departments, tapping outside directors or even splitting up audits by business line can allow smaller operations to leverage limited staff to get the audit done.

Agile compliance

For instance, an executive responsible for ensuring the accuracy of mortgage documents could aid in reviewing an institution’s AML program if she is not involved in opening customer accounts. Or, a person who underwrites loans could review the transaction monitoring component of the AML program, said a regulatory source.

Compliance professionals say there are some best practices to keep in mind when structuring an internal audit department or choosing people inside or outside the company to do the audit.

If the audit is done by an internal audit department, which is not an option at most smaller institutions, make sure the committee or manager involved reports to the board of directors and is not directly involved in any business he is auditing.

If the company is not big enough to have a full-fledged audit committee, ensure that the person chosen to do the review has proper AML training and no BSA duties at the institution.

Hiring an outside third-party for the AML audit is another way to go, but it also comes with risks. It’s crucial a bank scrutinize not just the company, but its employees to determine if they possess adequate experience with BSA rules and have the credentials, including industry or trade certifications.

Back scratching

To save costs some money transmitters, check cashers and the like, use family members working in the same chain but at different stores, to review each other, said Jay Postma, president of MSB Compliance Inc., an Atlanta, Ga.-based consulting firm. While that follows the letter of the rules, it’s unlikely to satisfy regulators because they aren’t likely to be properly trained to conduct an audit, said Postma.

New York AML consultant Jeff Sklar has seen internal audits at money service businesses (MSBs) done by a relative or worker at the store, that were, “just horrible. It was one page, saying everything was great. That’s not enough for regulators. They want to know what the qualifications of the people doing these reviews are.”

Creativity a must

The latest Bank Secrecy Act Anti-Money Laundering Examination Manual isn’t specific about what it means to keep the testing independent. The manual states the work can be performed by the “internal audit department, outside auditors, consultants, or other qualified independent parties.”

While that gives smaller institutions more options, some compliance officers say that guidance is vague and can be difficult to comply with if they don’t have a fully-staffed internal audit department or can’t afford expensive third-party reviews.

Todd Wenzel, who is both the chief financial and AML officer of Prime Bank in Melbourne, FL., said his bank is too small to hire a full-time internal BSA auditor.

“I am kind of a dying hybrid,” he said, adding that to avoid any conflicts he uses an outside firm, rather than doing an internal AML audit because he can’t be “checking my own work.” He adds that if the bank grows much larger, he’ll have to shed his compliance officer duties anyway.

There are myriad ways to craft an internal auditing program, even for a smaller institution, which will satisfy examiners and keep compliance costs down, according to one regulator.

“Some smaller banks may feel like it’s impossible, but I have seen it work with no conflicts,” the person said, adding that the key is giving sufficient AML training to departments and business lines that are completely separate from the BSA compliance area.

Employees that are not full-time, say someone that handles safety deposit boxes or wires, can be effectively cross-trained to take part in internal audits, the regulator said.

Under the scope

Interagency guidance released in March 2003 states that the resources for an internal audit department “for AML and other divisions” should be based on the institution’s “size, nature and scope” of its activities and provide “vital information about weaknesses” so that management can take prompt remedial action.”

The guidance gives special attention to smaller institutions, stating that a bank doesn’t need to have a full-time internal audit manager as long as the person or people reviewing the internal controls are not also responsible for “managing or operating those controls.”

One solution for smaller institutions, according to the guidance, is to use a blended approach to internal auditing. Use what limited independent staffers are available for the simpler aspects of the review, say customer due diligence, and pull in outside help for the more complex components, like transaction reviews.

Outside help

In the case of MSBs, where the staff is the husband, wife and son, they are “really not equipped to handle everything up to the standards” of state and federal AML laws, said John Bishop, senior administrator of the Ohio Division of Financial Institutions.

He said the current consensus is that MSBs should hire outside auditors, typically smaller consulting firms. “The regulations don’t require it, but it’s what we have been seeing more of from our providers.”

But bringing in an outsider is no guarantee of a perfect score, said Bob Serino, senior counsel with Buckley Kolar LLP in Washington, D.C. and a former regulator with the U.S. Treasury’s Office of the Comptroller of the Currency. While consulting firms will claim they are “AML experts,” their experience can vary dramatically, Serino said. Even smaller consulting firms also aren’t cheap, charging between $2,000 and $5,000 for AML reviews.

And, even if a potential auditor claims to be a “former regulator or examiner,” the institution should delve deeper and see which regulator, how long they worked there, and what was their area of expertise, and determine if that matches well with the institution’s risk profile, Serino said.

“It’s a judgment call,” he said. But if an outside auditor misses major red flags, the bank will pay the price for their mistakes. “You get what you pay for.”