aiming for excellence: optimizing the bsa/aml training program as an effective … ·...

AIMing for Excellence: Optimizing the BSA/AML Training Program as an Effective and Efficient Control, and Audit’s Contribution to this Pursuit Kathleen O. Smith, CAMS-Audit

Table of Contents

Page

Executive Summary 2

Background 3

Attributes of an Optimal Training Program 4

Framework of an Optimal BSA/AML Training Program 6

Audit’s Approach and Expectations for Training Program Review 8

Business Process to Capture Audit’s Review Comments and Incorporate into Training Program

10

Conclusion 12

Executive Summary Compliance professionals within financial institutions strive constantly to achieve best in class, and generally view training as a critical tool in achieving this pursuit. Training can truly be an organization’s first, last and best control. Despite the best intentions, budget and resource considerations may present formidable challenges in this endeavor. An organization's Bank Secrecy Act/anti-money laundering (BSA/AML) training program should be dynamic and continuously assessed, improved and maintained given audit outcomes, in concert with the overall BSA/AML program. This paper’s objective is to illustrate audit’s key contribution in the organization’s design, delivery and management of training. Consideration throughout will be given to training as an optimal control, using a continuous program enhancement approach. This paper is intended to complement the audience’s training design, delivery and

management toolkit by engaging audit as collaborator to achieve a more effective and

efficient continuous program enhancement. The target audience is principally financial

institutions relatively new to regulation and those for whom resource and budget

considerations are formidable. Ideally it will also be a useful resource to a broad audience

comprised of compliance, audit and business professionals within the financial services

sector.

This paper will primarily use experience-based resources to validate the conclusions

reached. When possible, industry voices of experts will be referenced. Additionally, details

will be provided on associated processes suggested to achieve desired outcomes.

Key focal areas will include:

Attributes of an optimal training program;

Framework of an optimal training program;

Audit’s approach and expectations for a training program review; and

Business process to capture audit’s review comments and incorporate into training

program, with consideration given to continuous people, process and

platform/technology enhancements to achieve overall continuous program

enhancements.

As the compliance environment becomes increasingly more demanding, draining already

scarce resources with its expectations for excellence, organizational focus on efficiency and

effectiveness continues to grow and evolve. The solutions to this approach are not new and

can be found within the day-to-day operations of business, compliance and audit. This

paper is designed to serve as a useful resource and tool to foster and strengthen dialogue

and collaboration among all constituents in this striving for efficiency and effectiveness,

while ensuring that compliance continues to be good business and everyone’s business.

Background

There is little doubt that financial institutions are constantly striving for excellence in

BSA/AML training program design, delivery and deployment, as well as the overall

BSA/AML program off which training drives. Significant literature and guidance are

available in this arena, particularly the dynamic Federal Financial Institution Examination

Council (FFIEC) BSA/AML Examination Manual, most recently updated in 2010. However,

when addressing the optimal process for this design, delivery and deployment, approaches

can vary significantly given such organizational considerations as business scope,

resources and time within the regulatory community.

Aiming for Excellence1 may seem challenging, as it comprises numerous steps: a process of

continuously assessing what is necessary; continuously improving processes and controls

to ensure appropriateness; and continuously maintaining program excellence through an

effective control process. The intent of this approach is not to add an additional level of

work, or create a stand-alone activity, but rather to leverage the lines of defense or layers

of opportunity that are in place. Compliance and audit are, after all, reliant upon the

organizational business activities either in place or in continuous development given

ongoing expectations. If the business is continuously assessing, improving and maintaining

its processes, compliance and audit’s roles of validation and advisement become invaluable

in this continuous improvement process.

To further elaborate on the rationale of this paper, it is helpful to provide a definitional

breakdown of the key components:

Optimizing, or optimization, includes finding the best available outcome.

Effective, or effectiveness, is the capability of producing a desired result.

Efficient, or efficiency, describes the extent to which time, effort and cost are well

used for the intended task or purpose. It is often used with the specific purpose of

relaying the capability of a specific application of effort to produce a specific

outcome effectively with a minimum amount or quantity of waste, expense or

unnecessary effort.2

While these definitions and approaches are well known among this paper’s audience, it is

often helpful to remind ourselves and our organizational constituents of these as days

become shorter and requirements become greater. Efficiency and effectiveness are not

luxuries but necessities given the time it takes daily to achieve such well-known

compliance philosophies as: trust but verify; if you do not document, you did not do it; if

you document, you do; and when in doubt, take the conservative route. A focus on the

1 Approach developed by author based upon prior work with process efficiency and Six Sigma experts 2 Wikipedia, the free encyclopedia

continuous cycle of assessing, improving and maintaining with audit’s help can turn this

challenge into an invaluable opportunity.

Attributes of an Optimal Training Program

Comprehensively reflects compliance and governance expectations;

Guides population on process-specific means to achieve expectations; and

Embraces existing and/or newly defined business processes as foundation to

achieving expectations.

Each of the above-referenced attributes can be accomplished more efficiently and

effectively by leveraging the lines of defense or layers of opportunity. While everyone

within an organization is responsible for a level of knowledge associated with regulatory

requirements, given the nature of the various activities, the depth of necessary knowledge

may be greater depending upon the roles and responsibilities. Thus, recognizing and

embracing the knowledge of the experts among all organizational constituents can be

beneficial in achieving an ideal depth and breadth of training.

Guidance from the regulatory community as well as law enforcement can also play a major

contributory role in optimizing the training program. “One of the most simple, but

sometimes overlooked ways to stay current with emerging AML risks is to cultivate and

develop contacts with law enforcement agencies. While there are obvious barriers to

sharing certain information, law enforcement officers can sometimes provide insights into

new money laundering schemes, red flags that are important for current risks, and

emerging crime patterns that may be specific to your bank’s location(s).”3

While the overlay of an optimal training program may be the comprehensive coverage of

the regulatory expectations, the foundation built upon existing and/or newly defined

business processes with appropriate process-specific guidance is the beginning of the path

to efficiency and effectiveness. The business cycle can be reflected as a continuum over

which the requirements can be laid:

Policy = defines the requirements and the rationale behind them (i.e., the what and

why);

Procedures = highlights the who, when, where and how associated with the

requisite requirements;

Process = generally details the step-by-step particulars of the procedures;

Controls = reflect the checks and balances which are in place to govern the process,

procedures and policy; and

3 ABA Bank Compliance, Nov-Dec 2013, Managing an Effective AML Program, by John H. Atkinson, CAMS

Practice = evidences what is actually occurring, which may or may not be consistent

with expectations, thus resulting in audit and regulatory review outcomes which

prompt refinements.

From a training program design, delivery and management perspective, embracing the

referenced continuum lends to efficiency and effectiveness. As regulatory requirements

change, the continuum should be changing to reflect the most current state. As regulatory

requirements prompt policy change, training content reflective of policy becomes a given.

It also becomes a good check and balance, or control, to ensure that current state is always

in place. This is also true with procedures and process, which help to more fully define the

most appropriate training population and frequency, coupled with the methods of delivery

to best fulfill the training requirements.

Fortunately, given the risk-based approach, which has become the norm, risk

considerations contribute to ensuring that the depth and breadth of policy, procedure,

process and controls is appropriate to the risk. They also contribute to the pursuit of

efficiency and effectiveness.

While all of the above make good common sense, the daily pressures, burdens and costs of

everyday business and compliance life tend to result in diversion from this approach. When

demands become overwhelming, a reminder of the basic business continuum aligned with

associated risk can be useful. Most importantly, documentation reflecting this continuum

and the rationale behind it can go a long way toward achieving satisfactory outcomes in

audit reviews and regulatory examinations, as well as business strategy and general

compliance well-being.

Each training topic has an expert or experts within the organization who can be leveraged

to assist in ensuring that appropriate training is in place without recreating the wheel.

While business professionals may not be the resident experts when it comes to regulation,

they are truly the experts when it comes to business and the requisite processes associated

with optimizing business value. Thus, defined and documented business process

established by the resident business experts becomes an effective and efficient first step in

the assurance of appropriate training.

While the business process may be a good first step, regulatory expectations which drive

compliance and governance expectations are a necessary component. The compliance and

legal communities are generally the drivers of these expectations, with audit playing a key

validation role. While Audit is certainly expected to be an objective third party in this

endeavor, its value cannot be underrated. Audit is not only an expert, but can also serve as

an invaluable guide and font of knowledge capital, which can be embraced by both the

compliance and business communities.

As a former internal examiner in commercial banking, the author directly experienced the

reluctance of the business community to embrace this referenced role as advisor. However,

as the voice of this role was truly the last step before the regulator’s voice was made

known, it was imperative that our knowledge base was extremely comprehensive and our

mission to ensure all issues were identified prior to regulatory review was clear among all.

Initial resistance to the time and resource demands of internal reviews quickly dissolved as

the business professionals realized that our time spent and outcomes communicated were

in fact complements to the scarce business resources if embraced as such.

Framework of an Optimal BSA/AML Training Program

Per the FFIEC BSA/AML Exam Manual, “Banks must ensure that appropriate personnel are

trained in applicable aspects of the BSA.”4 The manual shares a significant amount of

invaluable detail associated with the training program requirements. An optimal BSA/AML

training program comprises information appropriate to the requirements and population,

and addresses who, what, when, where, why and how for each appropriate to the nature of

the training. Depending upon the organization’s scope of activities, it will generally be

comprised of the following types/levels of training:

Awareness = information required by total population

Targeted = specific to lines of business as applicable

Tailored = role or function specific and highly reflective of business process

Awareness training, sometimes identified as enterprise training, is usually required of all

employees, regardless of role, driven by risk-based regulatory and enterprise expectations

with frequency generally aligned with these expectations.

Targeted training is generally required of all employees within the particular product and

oversight area of focus, based upon the business line’s involvement in the oversight area.

Tailored training is generally very specific to the particular role, and the root of this type of

training may be the business processes and procedures currently in place.

Rarely is awareness training the only level in place, as it presents a challenge to design

content, which can comprehensively address all levels of training needs within the

organization in a single approach. However, organizational policy and procedures are a

great starting point at this level of training development, as these documents should reflect

the minimum requirements necessary for all to know within the organization. While there

may be an organizational view that this training is not required of everyone given

respective roles, it is a good rule of thumb to design this training for everyone within the

organization to demonstrate a level of awareness regardless of role.

4 FFIEC BSA/AML Exam Manual, BSA/AML Compliance Program Overview – 2010, page 37

While targeted training goes one step deeper, generally focused on particular lines of

business,which perform activities relevant to the need to know areas of the BSA/AML risk

environment, it can be readily built around awareness training, using specific cases or

examples targeted at the business activities under discussion.

Tailored training, generally process driven, can be readily built using existing business

processes while tailoring the particular process steps to the expectations associated with

BSA/AML and the relevant risk. It also lends itself well to a checklist framework, with the

process and associated controls embedded within the checklist. This approach enables not

only a readily available controls review, but it provides a strong framework for remedial

training should there be a need given controls or audit reviews, which reveal unexpected

outcomes needing refinement.

Given the dynamic nature of the BSA/AML environment, and the necessity to maintain a

current and relevant training program, audit reviews can provide a great resource to

update and refine content in an efficient and effective manner. While it is hopeful that

organizations will not have source materials driven from regulatory enforcement actions,

with audit’s outcomes providing sufficient guidance to preclude these events, when these

do occur they can also fuel the refinement of training to minimize the risk of future such

events.

While each financial services organization may approach the design, delivery and

management of its training program in a distinct manner, noted below for consideration

are some tips gleaned from experience and guidance shared by compliance leaders across

the sector, both large and small. While some version of these approaches may already be

employed within the organization, when employed fully they may enhance the efficiency

and effectiveness of the program’s framework:

Use or establish designated compliance subject matter experts to contribute the

relevant subject matter to the training content, particularly for the awareness

training;

Partner the designated compliance subject matter experts with line of business

specialists to guide the targeted and tailored training, using as a foundation the

existing or newly refined business level processes and procedures and crafting the

content around this documentation as appropriate;

Use all available resources as content contributors and ongoing training resources,

including industry-sponsored newsletters, webinars, conferences, as well as internal

communications from business leadership and compliance;

Establish either systematic controls or documented checklists which serve as an

evaluative tool for the training effectiveness, prompting remediation training for the

relevant personnel as needed should control breaks occur;

With the above-noted decentralization of content development, centralize and if

possible systematize the administration of the deployment to make completion

reporting readily available when needed;

Ensure that completion reporting comprehensively reflects the total population,

rather than simply those complete, to ensure that incompletions can be tracked as

readily as completions;

Include a general training section within policy, and a more specific training section

within procedure, which can be readily referenced not only during control and audit

reviews, but also referenced and followed by business as a clear training guide; and

Formally review the training program on a regular basis, and document this review,

to ensure that all particulars associated with the program are relevant based upon

the current regulatory climate and the organization’s internal and external review

experiences.5

Audit’s Approach and Expectations for Training Program Review

In accordance with the FFIEC BSA/AML Exam Manual, audit should “determine whether the

following elements are adequately addressed in the training program and materials:

The importance the board of directors and senior management place on ongoing

education, training and compliance.

Employee accountability for ensuring BSA compliance.

Comprehensiveness of training, considering specific risks of individual business

lines.

Training of personnel from all applicable areas of the bank.

Frequency of training.

Documentation of attendance records and training materials.

Coverage of bank policies, procedures, processes, and new rules and regulation.

Coverage of different forms of money laundering and terrorist financing as it relates

to identification and examples of suspicious activity.

Penalties for noncompliance with internal policies and regulatory requirements.”6

Audit’s approach to an assessment of the BSA/AML training program is relatively clear,

given the FFIEC’s well-defined examination procedures highlighted above. While the

requirement for an assessment is relatively objective, the assessment can become quite

subjective based upon the individual(s) performing the assessment, as well as the evidence

of training available and provided to audit. For example, senior leadership’s culture of

compliance may be well stated within business memoranda and evidenced through the

5 Guidance obtained from numerous financial services’ Compliance leaders by author in preparation of a comprehensive Compliance training program evaluation 6 FFIEC Manual, BSA/AML Compliance Program Overview - 2010, page 42

presence of required training. However, training reports may reveal that business leaders

are either the last to complete the requisite training or have not yet completed at the time

the audit assessment is performed. An observation such as this could be particularly

impactful given the current regulatory climate, which is increasingly focused on board and

senior management accountability. As noted by the Comptroller of the Currency Thomas J.

Curry, during his speech at the recent ACAMS Conference, “when we look at the issues

underlying BSA infractions, they can almost always be traced back to decisions and actions

of the institution’s board and senior management.”7 Additionally, receipt of requested

documented training reports may be delayed as reports must be created specific to the

requests rather than being readily available. As is common knowledge, subtle clues to the

state of training such as this can be as detrimental to the review outcomes as the lack of

appropriate content or inadequate personnel coverage.

Audit’s contribution to the training program design, delivery and deployment in an

optimally efficient and effective manner begins well before the training program review

itself. As audit is charged with reviewing the overall BSA/AML program and its

components, the outcomes of these individual reviews can provide a treasure of guidance

on organizational needs for BSA/AML training. Identification of organizational issues may

indicate weakness in the guiding governance documentation, which generally provides the

foundation for training content. Recognition that this documentation needs refinement is a

good first step toward ensuring that training is an optimal control. Deficiencies in any area

of BSA/AML can readily feed into the core governance documentation, which can then

serve to feed training design, delivery and management.

While enforcement actions may cite training as a deficiency, such as those instances noted

on FinCEN’s site regarding recent actions against Toronto Dominion, Saddle River and

HSBC Banks,8 in many instances a particular area of concern is noted with no reference to

training. However, if either process or practice reflects inadequacies, the underlying

governance documentation is likely a factor. If this documentation is used as a basis for

training, which should be the case, then an enhancement to this documentation and the

underlying training should remedy the situation and preclude future instances of such

deficiencies being cited.

In treating training as the first, last and best control, with audit’s review of it as such, it is

clearly possible to enhance not only the training program’s efficiency and effectiveness but

also to minimize the risk of regulatory infractions and valuable time spent on remediation.

It is always helpful to keep in mind that the business is the driver to activity, with the

7 Remarks by Thomas J. Curry, Comptroller of the Currency, before the Association of Certified Anti-Money Laundering Specialists, Hollywood, Florida, March 17, 2014, OCC.gov, News Releases 2014-39 http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-39.html 8 FinCEN Enforcement Actions http://www.fincen.gov/news_room/ea/

regulatory umbrella overlaid across all existing governance expectations and prompting

refinements as needed. Audit is an invaluable resource to ensure that this situation remains

intact and as robust as possible.

It is virtually impossible for everyone to know everything there is to know about all aspects

of any regulation, including BSA/AML. However, within the organization’s compliance and

controls infrastructure and audit, there reside specialized generalists who are responsible

to be knowledgeable and current in their knowledge of all that is necessary to keep the

organization within regulatory good standing. Auditors can be relied upon as in-house

resident experts on the subject matter they review, despite their need to be objective in

assessments. Thus, it is extremely useful to maintain a robust dialogue with these

specialists, as they can provide not only lagging, but also leading indicators to the

regulatory environment. As it is always in an auditor’s best interest to identify any and all

issues prior to any examiner review, this font of knowledge can be an invaluable resource

in ensuring that the BSA/AML training program is satisfactorily robust in all areas to

preclude the examiner’s need to cite issues or force remedial action within the

organization.

Among the lines of defense or layers of opportunity, audit’s role should not be overlooked,

whether an in-house team or an external consulting organization. While the time required

throughout the review to prepare and address any and all considerations seems

overwhelming at times, the extra pair of eyes and ears made available and the invaluable

knowledge capital readily shared cannot be understated. As Jeffrey Houde cites in his

CAMS-Audit white paper entitled A Principles-based Approach for Auditing Board Reporting,

“to ensure an effective partnership with the client, it is helpful to proactively communicate

changes in regulatory expectations and the impact to the client as it becomes known. This

will allow the client to begin to comply with the new expectations prior to the audit,

helping them to enhance their risk management practices and saving them from being cited

unnecessarily in the audit report.”9

Rather than viewing the need for an audit review as a resource drain, it can be embraced as

providing an additional invaluable resource with a finger on the pulse of current and

prospective regulatory considerations to incorporate into governance and training

documentation and practice. As someone who directly experienced the reluctance to

embrace, yet concluded with the welcoming as a trusted resource, this author has seen how

opportune these reviews can be to all parties involved in not only fostering efficiency and

effectiveness but also in realizing true program quality.

9“A principles-based approach for auditing board reporting,” Jeffrey Houde, CAMS-Audit

Business Process to Capture Audit’s Review Comments and Incorporate into Training

Program

In all instances, the collaborative endeavor of compliance, audit and business can become

more efficient and effective by giving consideration to continuous people, process and

platform/technology enhancements to achieve overall continuous program enhancements.

This can be accomplished by ensuring that a continuous cycle of focus is in place at all

levels, reflected in three stages as follows:

Assessment phase = reviewing what should be done, initiated by a gathering process

and concluded with a discussion among all appropriate constituents;

Improvement phase = referencing regulatory expectations, industry guidance and

business needs to enhance existing program, achieved through an initial review and

subsequent implementation process; and

Maintenance phase = ensuring control environment is properly maintained or

refined as needed, and comprised of an ongoing review and validation process to

confirm the appropriate environment is in place.10

At the most basic level, compliance can be defined as:

Knowing what must be done;

Doing what must be done; and

Demonstrating that what must be done has been done, through documentation.

Given the three lines of defense or layers of opportunity, which exist with the collaborative

endeavors of business, compliance and audit, to achieve compliance in the most effective

and efficient manner, it is useful to ensure that a dynamic continuum is in place.

At its simplest, the collaborative process involves assessment, improvement and

maintenance activities at each level. Business is charged with establishing processes to

manage according to not only the organizational needs but also the regulatory climate.

Ideally, a control environment is in place, which ensures that practices align with

processes, regularly evidencing this situation with clear and concise documentation.

Ideally, compliance provides continuous guidance in concert with legal as needed to ensure

that the regulatory overlay within the business is timely and appropriate. Compliance may,

in fact, perform its own control reviews to validate business conclusions. Finally, audit

steps in to affirm or otherwise, ideally simply validating the prior conclusions. Each

constituent is engaged in continuous enhancement activities as a part of the daily flow of

responsibility. At each level, should there be a need for revision due to either anticipated or

10 “Compliance, Whose Job is it Really,” March 2012 presentation by author to regional Compliance association

unexpected considerations, the flow of process, control and review and associated

documentation is naturally amended to reflect these considerations.

To achieve a state of optimization with the BSA/AML training program, it is useful to ask

these questions at every stage of the assessment, improvement and maintenance phases:

What could our people have done differently?

How could our process have been redefined to obviate the issue?

What, if any, technology changes could be made to enhance the situation?

In each of these instances involving people, process and technology, there are certainly

training considerations. While training program considerations can be cited in audit and

exam outcomes, basic deficiencies in people, process and/or technology have at their root

the opportunity to be remedied through training. For example, if a software program

evaluation performed by an external vendor cites a situation where a suspicious activity

report (SAR) module is not being properly used, this could result in insufficient

identification and/or reporting of unusual or suspicious activity. Training is likely at the

root of this situation, or it can certainly be deemed a consideration. However, if the use of

the module is not assessed, improved if needed (as in this case), and maintained through

the ongoing evaluation and validation of use, the situation could ultimately result in an

audit or examiner citing.

Audit provides a wealth of knowledge capital with its review outcomes across the

BSA/AML program, which can be used to ensure that the BSA/AML training program is

truly best in class. While the training program review is also invaluable, it is essentially the

culmination of the overall program reviews and will likely be more of a validation exercise.

It is the ongoing assessment, improvement and maintenance across the program which is

the key contributor to this best in class situation. No review can be overlooked, whether a

business product review or the consideration of new technology to enhance an existing

business process. In each instance, there are BSA/AML considerations which can be

adopted within the training program to minimize the risk of future issues or deficiencies

within the overall program.

Throughout the assessment, improvement and enhancement stages, consideration to the

impact on people, process and technology guide constituents to ensure that all aspects

associated with training are captured. In each instance, the who, what, when, where, why

and how can be asked and addressed to ensure that no stone is left unturned when it comes

to communicating expectations and embedding those expectations within training

programs. Audit as the continuous final layer of defense or level of opportunity can be

invaluable in this endeavor, as auditors truly are an expert partner and resource.

Conclusion

The BSA/AML training program is not only the end game, but also the resource, which

demonstrates that BSA/AML compliance is good business and everyone’s business. An

efficient and effective training program, which is continuously assessed, improved and

maintained, can serve as an optimal control tool for the organization. Business, compliance

and audit each have an invaluable role to play in this pursuit. Through their collective

contributions, the BSA/AML training program can readily evidence a culture of compliance

embraced by the entire organization.

aiming for excellence: optimizing the bsa/aml training program as an effective … ·...

Documents