NJBankers 2016 CFO Conference

BSA Validation How to Evaluate Your Need

David Lutz, CAMSSenior Manager, BSA/AML

P&G Associateswww.pandgassociates.com

WhatsYourRisk@pandgassociates.com

Agenda • Regulatory Environment & Trends• Model Risk Governance Framework• BSA/AML Model Risk • BSA/AML System Validation• Engaging a Third Party • Benefits of BSA/AML System Validation• Key Takeaways• Q&A

Regulatory Environment

• Growing knowledge and expectations of examiners; greater scrutiny of AML models when assessing the soundness of BSA/AML Programs

• Majority of financial institutions regardless of size are using AML system technology

• Technology is not a panacea• Banks can’t just “Set it and Forget it”

• Understand• Validate• Calibrate• Support Settings, Configurations and Usage

Trends in Examinations

• Focus on design and implementation of transaction monitoring systems in alignment with BSA/AML risk

• Expectation of an independent assessment of an institution’s utility of BSA/AML system

• When reviewing the validation report, examiners will:• Evaluate scope of validation work performed• Review validation findings report• Evaluate Management’s response to findings report, including

remediation plans and timeframes• Assess the qualifications of the resources that performed the

validation

Model

Validation

ControlsOversightPolicies & Procedures

Roles & Responsibilities

Model Inventories

Security Controls

Change Control

Data Integrity

Model Documentation

Process Verification

Developmental Evidence

Outcome Analysis

Model Risk Governance Framework

Board & Senior Management

Line of Business Management

Internal Audit

Model Validation Resources

Risk Assessment

BSA/AML Model Risk

• AML model pitfalls• Inaccurate configurations at product installation (e.g. use of

default settings)• Inaccurate mapping of products/services to AML system • The model may be used incorrectly or inappropriately

• Potential adverse consequences• Missing suspicious activities• Financial losses/penalties due to violations• Poor business and strategic decision-making• Reputational damage

• Validation: How effectively is your model operating?

Key Components of aBSA/AML System Validation n• Review of BSA/AML System Design and Coverage• Transaction Code Mapping Analysis• Transaction Coverage Validation• Currency Transaction Reporting• Alert and/or Rule Verification

OFACPEP

314A

Anti-Money Laundering Monitoring

Anti-Fraud Monitoring

Customer Activity

(Transactions)

Core System Transactions

Funds Transfers Activities

ATM/POS Activities

Electronic Banking

Activities

Cash Transactions

Check Deposit

Key Data Mapped to AML System

Case ManagementALERTS

Cash Aggregation & Reporting

BSA Dept./Officer

Suspicious Activity

No Yes

Understanding BSA/AML Systems Workflow

BSA/AML System Validation Approach h

• Review of BSA/AML system design and detection scenarios coverage

• Analyze system scenarios to determine appropriate coverage of products and services identified in the Bank’s BSA/AML Risk Assessment

• The review will also determine if compensating controls exist to ensure coverage outside of the Bank’s BSA/AML system

• Identify coverage gaps and issue recommendations for coverage

BSA/AML Data Validation Approach

• Verify that all applicable core transactions are identified and properly mapped and coded from the Core system to the AML system

• Ensure scope of testing performed by the vendor is comprehensive and provides a sufficient volume and scope of data integrity testing (e.g., sampling a handful transactions isn’t sufficient)

• Verify that all applicable transactions are properly interfaced to the BSA/AML system

BSA/AML System Calibration & Tuning___

• Calibration is expected on an ongoing basis by regulators and examiners

• Are detection scenarios properly configured?• Are thresholds set too high or too low?

• The volume of system alerts should not be tailored solely to meet existing staffing levels

• Are alerts providing meaningful results (e.g. high rate of false positives vs. lack of hits)

• Utilization of the AML system should be constantly re-evaluated based on changes in the Bank’s products/service, customers and direction of risk

Regulatory Compliance Operational Burden/Cost

Finding the Right Balance for Your BSA/AML System

• Benefits of an independent BSA/AML system validation• Internal – Regulators may question the independence of the

work if performed internally • External – Most validations are performed by third-party service

providers• Expertise of system validation staff

• External – Ensure the vendor has worked with the system before, acquire references in the proposal process

• Decision to engage a third party or to perform a validation internally must not be solely based on cost, rather it should be based on the Bank’s risks, volume of transactional data, products/services and customer base

Engaging a Third Party for BSA/AML System Validation n

Benefits of BSA/AML System Validation

• Confirms accuracy and completeness of inputs, outputs and reporting

• Reduces the risk of system errors• Reduced remediation and lookbacks• Increased operational efficiency • Greater cost-effectiveness over time

Key Takeaways_________________

• Prior to engaging a third-party service provider, ensure the scope of work correlates to the testing and verification of the AML system functions

• Ensure the scope of work includes sufficient data integrity testing

• Transaction Code Mapping Analysis• Data Integrity Testing• AML System Alert Verification Testing

• Vendor should support the assessment and testing performed with sufficient workpapers and documentation

Questions?

David Lutz, CAMSSenior Manager, BSA/AML

P&G Associates(732) 651-1700

dlutz@pandgassociates.com