planning and designing an effective aml-training...
TRANSCRIPT
PLANNING AND DESIGNING AN EFFECTIVE AML-TRAINING PROGRAM FOR FINANCIAL INSTITUTIONS AND AUDITING ITS EFFICIENCY
Riitta Erkko
1 (19)
15.3.2019
PLANNING AND DESIGNING AN EFFECTIVE AML-TRAINING PROGRAM FOR FINANCIAL INSTITUTIONS AND AUDITING ITS EFFICIENCY
Table of Contents
I Introduction ......................................................................................................................................... 2 II Regulatory Obligations and Guidance on AML Training ............................................................... 4
AML/CFT Regulation in European Union (EU) ............................................................................... 4 The Bank Secrecy Act ..................................................................................................................... 5 Resemblances and Differences ...................................................................................................... 6 Risk-Based Approach in AML Training ........................................................................................... 7
III Basic AML/CFT Training Program ................................................................................................... 8 Training Needs Analysis—TNA ....................................................................................................... 8 Step 1: Previous Training Provisions .............................................................................................. 8 Step 2: Future Training Objectives and Planning ............................................................................ 8 Step 3: Delivery of Focused Plan .................................................................................................... 9
IV Planning and Developing an Effective AML/CFT Training Program ........................................... 9 Who to Train? Target Audience .................................................................................................. 9 What to Train? The Topics to Be Taught .................................................................................. 10 How to Train? Ways of Communication ................................................................................... 10 When to Train? Delivery Methods ............................................................................................ 11
V Audit’s Approach and Expectations for Training Program Review ........................................... 12 Fundamentals of BSA/AML Area .................................................................................................. 13 Tying Wire Between Training and the Other Pillars of BSA/AML Compliance Program .............. 14 Competency of the Auditors Regarding Appropriate Training ...................................................... 15 Developing Conclusions and Finalizing the Audit Review ............................................................ 16
VI Implementation of Audit’s Recommendations ............................................................................ 16 How to Ensure that the Requested Action Plans Will Be Executed .............................................. 16 Action Plan and Follow-up Process ............................................................................................... 17
VII Key Takeaways and Conclusions ................................................................................................ 17 Training Needs Analysis ................................................................................................................ 17 Competence Requirements for an Auditor .................................................................................... 18 AML Training is Communication ................................................................................................... 18
References ............................................................................................................................................ 19
2 (19)
15.3.2019
I Introduction
The financial industry has a core role to play in preventing money laundering and terrorist financ-
ing. Strong financial crime management practices can be considered one of the most powerful
devices against financial crime. Good practices can help identify and prevent perpetrators and
terrorists from carrying out their criminal plans.
Money laundering and terrorist financing schemes are rapidly evolving, and the pace of the tech-
nological development of new payment methods is huge. It is self-evident that most of the people
employed by financial institutions cannot be hot on criminals’ heels or keep up with technological
development, and, finally, be able to adopt that knowledge in their anti-money laundering and
counter-terrorist financing (AML/CFT) responsibilities at work. Therefore, training is an essential
component to raising awareness among an organization’s staff, concerning product and service
development’s money laundering risks, and to observing methods potentially related to money
laundering or terrorist financing in the financial industry.
Unfortunately, training tends to be easily forgotten in everyday life, although training is a regula-
tory requirement in most countries:
However, more often than not, training is the area where the purse strings are tightened when
the expenditure budget is exceeded. Trimming staff’s AML/CFT training is unwise and indicates
that the financial institution has not quite understood the value of skilled employees and their effi-
cient training as a control tool. Effective training can be considered the first, last, and best
AML/CFT tool for risk management and control.
“Obliged entities shall take measures propor-tionate to their risks, nature and size so that their employees are aware of the provisions
adopted pursuant to this Directive. Those measures shall include participation of their
employees in special ongoing training programs to help them recognize operations which may be related to money laundering or terrorist financing and to instruct them as to
how to proceed in such cases.”
EU’s 4th AML Directive
Sources: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L0849&qid=1563038972644&from=EN and https://bsaaml.ffiec.gov/docs/manual/BSA_AML_Man_2014_v2_CDDBO.pdf / Article 46 Federal Financial Institutions Examination Council: Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual 2014) / Suspicious Activity Reporting: Managing Alerts
3 (19)
15.3.2019
A robust and sound AML/CFT training program is critical to financial institutions, because it
shows that the organization understands and manages its AML/CFT risks.
The following chart1 presents comments or criticism from auditors or examiners in many areas of
AML/CFT processes related to training:
It would be interesting to know which share of criticism in areas such as customer onboarding
and account/activity monitoring could have been avoided if training were delivered to appropriate
personnel. As far as I am concerned, targeted or tailored training would certainly have diminished
figures above.
My objective with this white paper is to help management and staff in banks, or any other finan-
cial institutions, understand that roles and responsibilities of various types in the organization
1 Maleka Ali
Source: Maleka Ali (CAMS Audit—White Paper): Auditing for Effective Training
4 (19)
15.3.2019
(front line, investigators, analysts, compliance, IT, audit, senior management, etc.) require differ-
ent kinds of training. No more “tick-the-box” exercises. It is important that everybody understands
his/her own role in the AML/CFT process in different units or levels of an organization.
Designing training programs and action plans does not ensure efficiency and effectiveness of
training. Therefore, in this white paper, I aim to outline the roles and expectations of audits, and
the means of supporting financial institutions in a proactive way while auditing the training frame-
work. Audits can strengthen the importance of AML training as an extensive control tool within
the framework of financial institutions.
Finally, an interesting point of view concerning training programs will be the question of auditors
knowledgeable about those AML/CFT matters, which are subject matters of their reviews.
My target audience is compliance officers and other personnel in financial institutions who design
and deliver AML training programs, and also professionals in business lines, auditing, and senior
management. I hope they come to understand the value of AML training, and their own roles as
controllers, when putting lessons learned into practice.
II Regulatory Obligations and Guidance on AML Training
As my legal background in AML/CFT issues is in EU regulation, I will compare the 4th and 5th
AML Directives (AMLD) of the European Union and the BSA/AML Act of the United States to
highlight similarities and differences between the frameworks of the two legislations.
AML/CFT Regulation in European Union (EU)
2018 was a revolutionary year in Europe regarding AML/CFT compliance lapses. Instead of U.S.-
based financial institutions, the actors of many AML/CFT breaches have been found in Europe
(Danske Bank, ING Bank, N.V. ABLV Bank, and Pilatus Bank). It seems that Europe has faced a
major crisis with money laundering, due to several money laundering scandals last year. In Eu-
rope, AML/CFT regulation is based on the 4th AML Directive with the update of the 5th AML Di-
rective, which each EU member country must implement in their national legislation.
In September 2018, the EU Commission announced the strengthening of AML supervision. The
target is to concentrate AML powers in relation to the financial sector within the European Bank-
ing Authority (EBA) and strengthen its mandate to ensure that relevant authorities effectively and
consistently supervise risks of money laundering. All relevant authorities should cooperate and
share information. This means the EBA will issue regulations and guidelines to collaborate and
support national competent authorities of EU member countries, and oversee them as well.
According to AMLD national AML/CFT legislation of the EU, member countries must have in
place policies, controls, and procedures to effectively mitigate and manage the risks of money
laundering and terrorist financing identified at the level of the Union, the member state, and the
obliged entity.
The policies, controls, and procedures should cover at least the development of internal policies,
controls, and procedures, including model risk management practices, customer due diligence,
reporting, record keeping, and internal controls. Financial institutions’ staff must participate in
5 (19)
15.3.2019
special ongoing training programs to recognize operations that may be related to money launder-
ing or terrorist financing.
Regarding the size and nature of the business, the policies, controls, and procedures shall also
include, where appropriate, the appointment of a compliance officer at the management level,
and an independent audit function to test the internal policies, controls, and procedures.2
In line with the FATF’s standards, the AMLD puts the risk-based approach at the center of Eu-
rope’s AML/CFT regime. Risk assessments are considered an essential means of risk manage-
ment. The documented risk assessments have been regulatory requirements only after the
AMLD entered into force in 2015. The role of internal or external audits in executing independent
testing, alone or in cooperation with another service provider, has not been highlighted in AMLD,
either.
Case law and enforcement actions on a national level, regarding AML/CFT issues, have been
infrequent. Perhaps the situation will change as the role of the European Banking Authority as
a regulator and a supporter of national competent authorities, grows.
The Bank Secrecy Act
The Bank Secrecy Act (BSA) has been in force since 1970. The BSA is sometimes referred to as
an AML law, or jointly as BSA/AML. BSA requires financial institutions in the U.S. to assist U.S.
government agencies in detecting and preventing money laundering.
BSA/AML regulation requires every U.S. national bank and savings association to have a written,
board-approved program that is reasonably designed to assure and monitor compliance with the
BSA. The program must, at a minimum:
2 4th AMLD
6 (19)
15.3.2019
provide for a system of internal controls to assure ongoing compliance;
provide for independent testing for compliance;
designate an individual responsible for coordinating and monitoring day-to-day
compliance; and
provide training for appropriate personnel.
In addition, every bank must adopt a customer identification program as part of its BSA compli-
ance program.3
According to the FFIEC BSA/AML Examination Manual, financial institutions’ BSA/AML compli-
ance program must be documented, approved by boards of directors, and noted in board
minutes. A bank must have a BSA/AML compliance program commensurate with its respective
BSA/AML risk profile.
The FFIEC BSA/AML Examination Manual advises actors in the financial industry how to apply
BSA/AML and regulations. The manual is of great help when planning and implementing policies
and procedures in practice.
Resemblances and Differences
The U.S. has a much longer tradition regarding AML/CFT issues than the EU does. The Finan-
cial Crimes Enforcement Network acts as the designated administrator of the Bank Secrecy Act
(BSA). The BSA was established in 1970 and has become one of the most important tools in the
fight against money laundering.4 In Europe, AML legislation did not enter into force until 1991.
The first AMLD in 1991 was the basic package, requiring EU member countries to implement
laws centered on FATF recommendations. Today, the 4th and 5th AML Directives have repealed
the previous directives. Directives are not applicable directly in EU member states. Directives
must be implemented by the end of a transition period, usually 18–24 months, mentioned in the
directive.
The common feature for both regulations is the risk-based approach. But in the U.S., the tradition
of applying a risk-based approach has a longer history than in Europe. Since 2005, depository
financial institutions have been required to perform and document a written BSA/AML risk as-
sessment, but in the EU, the requirement of risk assessment documentation was entered into
AMLD only in 2015. Hence, the requirement of written AML risk assessment is quite new among
EU member countries.
In general, the AML framework looks quite same in the U.S. and the EU: both regulations require
entities to have internal policies, controls, and procedures; CDD-process, SAR-reporting, and in-
ternal controls in place; and training for staff.
However, EU’s AMLD and EBA guidelines are lacking adequate practical advice, for example,
regarding training. Therefore, I consider the FFIEC BSA/AML Examination Manual an invaluable
tool both for authorities and financial institutions when striving to be compliant with BSA/AML reg-
ulation. That kind of manual would be of great value for obliged entities in EU member countries,
as well.
3 OCC: BSA and Related Regulations 4 FinCEN: History of Anti-Money Laundering Laws
7 (19)
15.3.2019
Risk-Based Approach in AML Training
Risk-based approach (“RBA”) is a general global requirement documented as FATF’s first rec-
ommendation. Risk-based approach should be used when assessing money laundering/terrorist
financing (ML/TF) risks to ensure that measures used to mitigate or prevent those risks are com-
mensurate with the risks identified. Risk-based approach is the foundation to the efficient alloca-
tion of resources.
In practice, risk-based approach means that financial institutions should apply 90 percent of
available resources toward the 10 percent of their business. This constitutes the most serious
risk.5
Risk-based approach in AML/CFT training requires that financial institutions have documented
an ongoing employee training program. In a carefully designed AML/CFT training program, the
focus is addressed to key risks.
Financial institutions’ risk assessment results are a good starting point to create prioritized train-
ing. The key issues for training can be found within AML/CFT threat, but also observations on
lacking skills and expertise in certain lines of business or in the process of execution. In such a
way, the risk-based approach will be applied almost automatically. Training to address lower or
minor risks can be planned thereafter in order of importance.
Well-organized training is not “just” a regulatory requirement. Usually, correspondent banks and
investors find it necessary to be informed concerning (respondent) bank’s AML/CFT controls,
and this shows that the risks are understood and managed in a proper way.
5 Tim Parkman
8 (19)
15.3.2019
III Basic AML/CFT Training Program
Training is an essential part of financial institutions’ AML/CFT effort. It helps to generate a culture
of awareness among staff. The FFIEC BSA/AML Examination Manual sets forth the minimum
standards of training:
Training must be provided for all personnel whose duties require knowledge of
the BSA.
New hires should be given training at once in orientation phase.
Employees’ specific responsibilities require tailored training.
Training should encompass information related to applicable business lines.
The BSA/AML compliance officer should receive periodic training that is relevant.
The board of directors and senior management should be trained concerning
changes and new developments in the BSA.
Training should be ongoing and incorporate current developments and changes to the BSA and
any related regulations. Changes to internal policies, procedures, processes, and monitoring sys-
tems should also be covered during training. Financial institutions should document their training
programs. Training and testing materials, the dates of training sessions, and attendance records
should be documented and saved for reviews afterwards.6
Training Needs Analysis—TNA
When thinking about the recent money laundering incidents, it must be obvious that the basic
training plan cannot be considered adequate to support the staff and the organization in
AML/CFT efforts. Training is a useful tool to generate the culture of awareness among the em-
ployees, senior management, and the board. Knowing the signs of potential money laundering
and terrorist financing is undoubtedly one of the most important capabilities that staff within finan-
cial organizations should have. Accordingly, thorough training and awareness programs help en-
sure that staff know what they are looking for in a suspicious transaction.7
TNA is a systematic approach that helps assess training needs within the organization and there-
after sets training priorities. The TNA process has three steps.
Step 1: Previous Training Provisions
In the first phase, work out what training has already been completed by using several resources
(data from training and testing materials, AML/CFT risk assessment and analyses, internal audit
reports, etc.). That information helps reveal what the employees in business lines and other func-
tions already know, as well as future training needs.
Step 2: Future Training Objectives and Planning
In the second phase, the training needs must be established based on information gathered dur-
ing the previous phase, regarding employees’ skills and knowledge. In this phase, it is reasona-
ble to find out the upcoming reviews and inspections of regulators and correspondent banks.
Training regarding an organization’s internal policies, procedures, and processes is necessary in
6 FFIEC BSA/AML Examination Manual 2014 7 Tim Parkman
9 (19)
15.3.2019
case the regulation has changed, and the organization’s own policies and procedures have been
updated.
In this phase, the training goals must be determined, and the training plan for the next training
period must be approved. However, an efficient AML/CFT training program does not only meet
the standards set out by the lawmaker and regulator. Efficient training should also seize staff’s
attention to suspicious activity and describe each responsibility in AML/CFT processes in an un-
derstandable way. Therefore, to clarify the training objectives, it would be recommendable to
pose following questions8:
Whom to train?
What to train?
How to train?
When to train?
Step 3: Delivery of Focused Plan
Having worked out what training has already been done and what training needs to be done, the
list of training requirements can be drawn up by mapping the existing training provisions to cur-
rent and future provisions. The training program content shall contribute to achieving the agreed
learning objectives.
Organizations that apply TNA process can show commitment to their AML compliance culture. It
also helps employees understand and adhere to the organization’s AML/CFT compliance re-
quirements that apply to their daily activities.
IV Planning and Developing an Effective AML/CFT Training Program
The first step in designing an effective training program is to identify the target audience. Most
areas of the institution should receive AML training, and the target audience should include most
of the employees.9 An effective AML/CFT training must be adequately planned to address mate-
rial needs in the organization. Training should be designed with the right mix of general educa-
tion and targeted information. Effective and efficient training begins with TNA.
Whom to Train? Target Audience
At a minimum, the bank’s training program must provide training for all personnel whose duties
require knowledge of the BSA. The training should be tailored to the person’s specific responsi-
bilities. In addition, an overview of the BSA/AML requirements typically should be given to new
staff during employee orientation.
The BSA compliance officer should receive periodic training that is relevant and appropriate,
given changes to regulatory requirements as well as the activities and overall BSA/AML risk pro-
file of the bank.
The board of directors and senior management should be informed of changes and new develop-
ments in the BSA, but the board of directors may not require the same degree of training as
8 Study Guide for the CAMS Certification Examination, 5th Edition 9 Study Guide for the CAMS Certification Examination, 5th Edition
10 (19)
15.3.2019
banking operations personnel; they need to understand the importance of BSA/AML regulatory
requirements, the ramifications of noncompliance, and the risks posed to the bank. Without a
general understanding of the BSA, the board of directors cannot adequately provide BSA/AML
oversight.10
What to Train? The Topics to Be Taught
Well-planned training should satisfy legal, regulatory, and policy requirements as well as support
staff in understanding their roles and responsibilities. The content and frequency of the training
must comport with business lines, as well as functional and regulatory requirements. The training
must cover topics of general applicability, as well as local and business-specific requirements,
and address how these requirements apply to specific job functions and responsibilities.11
Effective training should present real-life money laundering schemes, preferably cases that have
occurred at the institution or at similar institutions, including, where applicable, how the pattern of
activity was first detected, its impact on the institution, and its ultimate resolution.12
The training program should reinforce the importance that the board and senior management
place on the bank’s compliance with the BSA and ensure that all employees understand their
role in maintaining an effective BSA/AML compliance program.13 Boards of directors and senior
management should understand their responsibilities regarding the institution’s BSA/AML pro-
gram. Better understanding of their responsibilities can be derived through training modules.
How to Train? Ways of Communication
Different kinds of AML/CFT issues might need various forms of communication to the staff. When
those issues are identified, someone must decide on the best way to communicate them. Train-
ing is communication. Sometimes a memo or e-mail message will accomplish what is needed
without formal, in-person training. New hires should receive training different from that given to
veteran employees.
Determine the needs that should be addressed. There may be issues uncovered by audits or ex-
ams, or created by changes to systems, products, or regulations.
“One size fits all” training does not work anymore. Financial institutions are not alike, and differ-
ences in business lines, customer bases, products and services, regions, sizes, and volumes
must affect organizations’ training plans and their deliveries. A portfolio of targeted training con-
tent reflects the maturity of financial institutions’ educational strategy, meaning organizations’ un-
derstanding of everyone’s roles and their exposure to the ML/TF risks.
Targeted training can consist of different layers, such as:
a) a shared module with key regulatory/corporate messages;
b) a suite of targeted trainings for specific functions; and
10 FFIEC BSA/AML Examination Manual 2014 11 Citi Transaction Banking Academy for FI Professionals – AML training 12 Study Guide for the CAMS Certification Examination, 5th Edition 13 FFIEC BSA/AML Examination Manual 2014
11 (19)
15.3.2019
c) an evolutionary awareness training package.14
When to Train? Delivery Methods
Modern training takes place outside the class-
room. Beyond classroom training, an organiza-
tion’s AML/CFT training program is limited only
by resources and needs. Training sessions can
be system-enforced when the system delivers
the necessary credentials to access on the
screen, or when “training messages” pop up on
the screen while logging in. Employee-friendly
technology training is different webinars, which
are convenient methods for remote staff or em-
ployees working non-traditional hours, as well.15
Digital technologies have revolutionized AML
training administration. Training and testing ma-
terials, the dates of training sessions, attend-
ance records, and training completion infor-
mation can be maintained by using digital tech-
nology.
Below is an example of course tracking for the e-learning process:
If staff have not completed by the required deadline, they will receive an overdue notification, copied to managers, and an e-mail every three days for a period of 30 days after the completion deadline. Managers will be cc’d (GLMS = Global Learn ing Management System). The automated overdue e-mails will cease after the further 30 days, at which point overdue staff will be incorporated within the formal escalation process.
14 Fabrice Borsello 15 Fabrice Borsello
12 (19)
15.3.2019
Statistics on completion rates of training sessions can be provided monthly in
governance forums attended by all business lines and compliance and corporate
functions, to ensure awareness and oversight by regional senior management. At
the end of each quarter, a list of names of overdue learners is distributed to facili-
tate action by senior management for overdue learners in their areas.16
However, it is essential when planning training delivery methods that the wide range of media
and training tools is chosen depending upon the subject matter and audience. The roles and re-
sponsibilities of senior management, front-line relationship managers, and SAR investigators dif-
fer so much that training for these groups must be delivered appropriately.
V Audit’s Approach and Expectations for Training Program Review
In accordance with the FFIEC BSA/AML Exam Manual, the task of auditors is to determine
whether the following elements are adequately addressed in the training program and materials
of a bank:
The importance the board of directors and senior management places on ongo-
ing education, training, and compliance
Employee accountability for ensuring BSA compliance
Comprehensiveness of training, considering specific risks of individual business
lines
Training of personnel from all applicable areas of the bank
Frequency of training
Documentation of attendance records and training materials
Coverage of bank policies, procedures, processes, and new rules and regulations
Coverage of different forms of money laundering and terrorist financing as it re-
lates to identification and examples of suspicious activity
Penalties for noncompliance with internal policies and regulatory requirements
16 Citi Transaction Banking Academy for FI Professionals – AML training
13 (19)
15.3.2019
Fundamentals of BSA/AML Area
In addition to elements listed before audit’s approach and expectations, the following subject
matter should be considered17:
Planning and Scoping
The planning and scoping process should be completed before entering the bank. During the
scoping and planning process, it is useful to discuss BSA/AML matters with bank management,
including the BSA/AML compliance officer and other key stakeholders. Depending on the finan-
cial institution’s business lines and activities, it is advisable to acquaint oneself with business op-
erations and expectations. Reviewing the results of prior internal audits, regulatory exams and
other external program assessments on AML training or internal controls can reveal issues that
should be taken into the audit scope.18
BSA/AML Risk Assessment
Evaluating the BSA/AML risk assessment should be part of scoping and planning the examina-
tion, and the inclusion of a section on risk assessment in the manual does not mean the two pro-
cesses are separate. Rather, risk assessment has been given its own section to emphasize its
importance in the examination process and in the bank’s design of effective risk-based con-
trols.19
In reviewing the risk assessment during the scoping and planning process, the auditor should de-
termine whether management has considered all products, services, customers, entities, trans-
actions, and geographic locations, and whether management’s detailed analysis within these
specific risk categories was adequate. The financial institution’s BSA/AML compliance program
must be reviewed with sufficient knowledge of the bank’s BSA/AML risks to determine whether
the BSA/AML compliance program is adequate and provides the controls necessary to mitigate
risks.20
Information regarding the financial institution’s training program and results should be thoroughly
detailed in the risk assessment. Among other things, the information should include an outline of
training topics and testing materials in the annual BSA/AML training, responsibilities for organiz-
ing the training program, types of training, methods of assigning and tracing the training courses,
training information concerning BSA/AML compliance officer, senior management and board,
and new hires, etc.
When the scope of the audit is planned to focus on training, the information mentioned may indi-
cate something about the quality of the training program, deficiencies in the training content, or
personnel coverage.
BSA/AML Compliance Program
17 FFIEC BSA/AML Examination Manual 2014 18 ACAMS Advanced Certification, Live Program 19 FFIEC BSA/AML Examination Manual 2014 20 FFIEC BSA/AML Examination Manual 2014
14 (19)
15.3.2019
The BSA/AML compliance program must be written, approved by the board of directors, and
noted in the board minutes. A bank must have a BSA/AML compliance program commensurate
with its respective BSA/AML risk profile. Furthermore, the BSA/AML compliance program must
be fully implemented and reasonably designed to meet the BSA requirements. Policy statements
alone are not sufficient; practices must coincide with the bank’s written policies, procedures, and
processes.
The BSA/AML compliance program must contain the following required minimum elements: 1)
system of internal controls; 2) independent testing of BSA compliance; 3) BSA compliance of-
ficer; and 4) training.
In addition, financial institutions must have a written Customer Information Program (CIP) incor-
porated into the bank’s BSA/AML compliance program. The CIP is intended to enable the bank
to form a reasonable belief that it knows the identity of each customer. CIP should be appropriate
for the size and type of business of the financial institution.21
When the audit is particularly concentrated on training issues, the first thing is to ensure that the
training has been provided to appropriate personnel. The concerns identified in the risk assess-
ment should be adequately addressed in the BSA/AML compliance program. From the audit
view, this means that in those business lines and operations, where higher risk has been identi-
fied in the risk assessment, appropriate policies and procedures should have been developed to
monitor and control those risks.22 Of course, audits should look through the BSA/AML compli-
ance program to find out whether those high-risk areas are provided with targeted qualified train-
ing.
Tying Wire Between Training and the Other Pillars of BSA/AML Compliance Program
Training can be considered an essential control when managing ML/TF risks. In BSA/AML, com-
pliance program training is one of the four minimum elements or pillars of the program. There-
fore, it has been given a remarkable importance in regulation. However, training tends to be eas-
ily ignored when identifying and assessing ML/TF risks and their controls, although that should
not be the case.
Training is incorporated in the four pillars of the BSA/AML compliance program. Internal controls
of a financial institution should include policies, procedures, and processes that train employees
to be aware of their responsibilities under the BSA regulations and internal policy guidelines. The
independent testing should address training, including its comprehensiveness, accuracy of mate-
rials, training schedule, and attendance tracking. Finally, the BSA/AML compliance pillar de-
mands competency of the BSA/AML compliance officer. Competency can be gained on proper
training.
On page 2 of this presentation, there is a chart with comments and criticism of auditors and ex-
aminers concerning AML/CFT processes that relate to training. The level of staff knowledge and
understanding can be improved in most of the areas referenced, such as the completion of
SARs, suspicious activity monitoring, new account documentation, and following bank policy and
21 FFIEC BSA/AML Examination Manual 2014 22 Donna Davidek
15 (19)
15.3.2019
procedures. Those areas that lack training might have been discovered while auditing other pil-
lars than training, but the key to remediation is training.
Enforcement Actions May Cite Training Deficiency as Follows:
“require ongoing training of appropriate personnel”/UBS Financial Services Inc.
“BSA/AML personnel required significant training”/Gibraltar Private Bank and Trust
Company
“appropriate training to all staff regarding BSA/AML requirements”/Commerzbank
It is noteworthy that many deficiencies concerning training are noted in enforcement actions, but
there is no reference to training:
“failed to comply with the business’ policies and statutory requirements regarding
customer due diligence (CDD) and enhanced due diligence (EDD)”/Zions First
National Bank
“SARs filed…were not adequate and of poor quality”/TCF National Bank
“consequently, failed to timely report suspicious activities”/First National Commu-
nity Bank
Based on the above-mentioned, training should be treated as the first, last, and best control, and
it should not be undervalued.
Competency of the Auditors Regarding Appropriate Training
Auditors have an enormous field of work, which requires comprehensive knowledge and skills of
BSA/AML requirements. When auditing the BSA/AML compliance program’s training pillar, the
requirements to auditors’ competency should cover, among other things, the financial institution’s
policies, procedures, processes, new rules and regulations, understanding of specific risks of in-
dividual business lines, suspicious activity monitoring and SAR process from alerts to SAR com-
pletion, filing, and several IT Systems and applications, etc. That is because auditors should be
able to assess the appropriateness of training delivered to personnel in various duties in the or-
ganization.
It goes without saying that it is not possible for anyone to manage a whole complex of issues
such as BSA/AML regulation, information systems, or business-wide detailed processes in prac-
tice. Auditors definitely are subject matter experts to a certain point, but within the financial insti-
tution’s compliance and audit departments, and financial crime and IT units, specialised general-
ists must exist who are responsible and up-to-date in their knowledge of all the necessary infor-
mation concerning laws, regulations, IT systems, and processes. It is important for auditors to be
able to rely on these experts without giving up one’s integrity, of course.23
When multiple departments in large financial institutions are responsible for researching unusual
activities, the lines of communication between the departments must remain open. This allows
organizations with bifurcated processes to gain efficiencies by sharing information.24
23 Kathleen O. Smith 24 FFIEC BSA/AML Examination Manual 2014
16 (19)
15.3.2019
Developing Conclusions and Finalizing the Audit Review
Audit /Independent testing should, at a minimum, include an evaluation of the overall adequacy
and effectiveness of the BSA/AML compliance program, including policies, procedures, and pro-
cesses. Typically, this evaluation includes an explicit statement about the BSA/AML compliance
program’s overall adequacy and effectiveness and compliance with applicable regulatory require-
ments. At the very least, the audit should contain sufficient information for the reviewer (e.g., an
examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the
BSA/AML compliance program.25
In this final phase of audits, all findings from the audit procedures completed must be assembled.
Auditors should develop and document conclusions about the BSA/AML compliance program’s
adequacy, discuss preliminary conclusions with financial institution’s management, and present
the conclusions in a written format.26 The severity and types of findings, and the ground for defi-
ciencies, should be discussed with management, and auditors may allow a remedy of the viola-
tion or deficiency during or before finalizing the audit.
When audit has been focused on the training, one of the four elements of BSA/AML program, the
final audit report should also provide a review of the training program of the financial institution
with a conclusion as to whether personnel are sufficiently trained to adhere to legal regulatory
and policy requirements.27
VI Implementation of Audit’s Recommendations
At the end of an audit, review comments and proposed recommendations should be built into the
financial institution’s training program. Quite often, competing priorities and other factors may
prevent implementing the agreed actions in the agreed timeline. The purpose of follow-up is to
ensure that the actions have been implemented in a timely manner, and that they have ad-
dressed the issue.
How to Ensure That the Requested Action Plans Will Be Executed
For the first, it could be alleged that senior management is responsible for the implementation of
recommendations. Very often, for example, when the recommendations have been addressed to
training programs, the action plans (or parts of them) must be executed in different areas of the
organization.
Carrying out the action plans requires cooperation between business, compliance, and audit.
The implementation process involves activity in each line of defense.
Business managers in the first line of defense are responsible for risk mitigation and control
within the business function that generates the risks, in particular through policies and proce-
dures, training, and line management oversight. Compliance in the second line of defense is an
independent oversight function, and compliance function can provide business lines with legal
support during execution of the action plan.
25 FFIEC BSA/AML Examination Manual 2014 26 FFIEC BSA/AML Examination Manual 2014 27 FFIEC BSA/AML Examination Manual 2014
17 (19)
15.3.2019
Finally, audit as the third line of defense can validate the process for its part. Audit may help the
organization track the implementation and periodically follow up to see that risks are being ade-
quately managed.28
Action Plan and Follow-up Process29
The degree of follow-up activity may be influenced by the size and nature of the risks and defi-
ciencies identified and the extent of the action plan. Of course, it is necessary to follow up the im-
plementation to ensure action plans effectively remedy identified deficiencies, but organizations
should assess and choose suitable follow-up processes and tools, themselves.
In general, the follow-up process helps to determine the effectiveness of action plans. The follow-
up reports highlight whether recommendations or action plans are pending, in progress, or com-
plete in the form of a dashboard for senior management and committee use.
It is essential for organizations to have a good understanding of their action plans and their exe-
cution. Discrepancy between reported risk responses and the actual status could mislead those
who rely on the information. Audit, compliance, and business line managers work collaboratively
to actively report and evidence where recommendations have been addressed. This will help re-
duce the amount of objective follow-up work.
Finally, follow-up should consider whether actions have been implemented and whether the iden-
tified deficiencies have been adequately corrected.
VII Key Takeaways and Conclusions
Risk-based approach is the cornerstone of AML/CFT regulation. Risk-based approach must be
kept in mind not only when assessing the significance and likelihood of AML/CFT threats, but
also when assessing the effectiveness and efficiency of AML controls, training included. By ap-
plying risk-based approach when developing and organizing AML training for staff, the financial
institutions can show their regulators, supervisors, correspondents, investors, and other stake-
holders that the training is focused on risks that the financial institution is confronting.
Training Needs Analysis
In order to convince those above-mentioned parties, the financial institution should create a com-
prehensive training program where the key risks are addressed by prioritized training. Training
concerning risks perceived as minor or less important should be addressed as well, but the train-
ing can be provided later.
The best way for a financial institution to demonstrate to those parties that it really understands
the substance of risk-based approach is applying a “training needs analysis” system (TNA). A
TNA system helps identify training needs within the organization, and thereafter set training prior-
ities. A TNA system goes ahead as follows:
monitoring the skills and knowledge of the staff;
monitoring the upcoming reviews and inspections of regulators and correspondent
28 Chartered Institute of Internal Auditors 29 Chartered Institute of Internal Auditors
18 (19)
15.3.2019
banks and training regarding an organization’s internal policies and procedures in
case of the regulatory changes; and
drawing up the training needs by mapping the existing training provisions to current
and future provisions.
By using TNA when developing an AML training plan, and documenting the proceeding with a
three-step process, financial institutions can show outsiders that not only has the appropriate
AML training been undertaken, but also that the training efforts have been targeted effectively by
starting from key risks and continuing to minor risks.
Competence Requirements for an Auditor
An independent auditor or audit function should be able to assess and test the efficiency and ef-
fectiveness of an AML training program.
That means the auditors must have quite exhaustive expertise of AML areas on business-wide
topics (BSA/AML compliance programs, AML risk assessment, CIP, CDD, suspicious activity
monitoring and reporting, etc.); higher-risk topics (funds transfers, private banking, correspondent
banking, MSBs, PEPs, etc.); and special topics (various systems and applications, such as
KYC/CIP systems, SAR reporting systems, AML Data Control systems, etc.). In addition, auditors
should possess auditing experience of those areas to properly manage their duties and responsi-
bilities.
It is evident that no one can manage so widely, or without gaps, all aspects of AML areas. Of
course, auditors should have great knowledge and be thoroughly trained on all areas of
BSA/AML, but auditors’ competency and expertise should most nearly resemble the AML gener-
alist with auditing expertise. That is not to say that the auditor could not be specialized in certain
AML areas, but in financial institutions, there must reside subject matter experts and specialized
generalists who have up-to-date knowledge and skills regarding regulation, policies, procedures,
IT systems, products and services, etc. These specialists with deep expertise can be of great
support to auditors who can concentrate on their auditing tasks but get detailed AML area infor-
mation at once if needed.
AML Training Is Communication
AML training sessions can create interaction and help employees understand and adhere to the
organization’s AML/CFT compliance requirements that apply to daily activities. A robust and
sound AML/CFT training program is critical to financial institutions; because it shows that, the or-
ganization understands and manages its AML/CFT risks. Therefore, an AML training program
can be considered a financial institution’s first, last, and best control when combating money
laundering risks.
As stated, it is important that the lines of communication remain open in the organization. This
allows financial institutions with complicated processes to improve efficiency by sharing infor-
mation and reducing redundancies.
Finally, organizations that have developed comprehensive AML training programs that are up-
dated regularly can also show commitment to AML compliance culture.
19 (19)
15.3.2019
References
ACAMS Advanced Certification. Live Program (5–7 November 2018). Chartered Institute of Internal Auditors (CIIA): Following up recommendations/management ac-tions (3 March 2018). Citi Transaction Banking Academy for FI Professionals—AML training (3–4 May 2016). Directive (EU) 2015/849 (i.e. 4th AMLD) and 2018/843 (i.e. 5th AMLD) of the European Parlia-ment and of the Council (20 May 2015 and 18 May 2018). Donna Davidek: Auditing and training BSA/AML Risk Assessment http://www.acams.org/wp-content/uploads/2015/08/Auditing-Updating-an-AML-Risk-Assessment-Donna-Da-videk.pdf
Fabrice Borsello: Making Your Organization’s AML/CFT Training More Efficient –AML-Training (16
Feb 2017).
FFIEC BSA/AML Examination Manual 2014 (Federal Financial Institutions Examination Council): Bank Secrecy Act/Anti-Money Laundering Examination Manual. FinCEN (Financial Crimes Enforcement Network): History of Anti-Money Laundering Laws https://www.fincen.gov/history-anti-money-laundering-laws.
Kathleen O. Smith (CAMS Audit - White Paper): AIMing for Excellence. http://www.acams.org/wp-content/uploads/2015/08/AIMing-for-Excellence-Kathleen-O-Smith.pdf
Maleka Ali (CAMS Audit—White Paper): Auditing for Effective Training. http://www.acams.org/wp-content/uploads/2015/08/Auditing-for-Effective-Training-Maleka-Ali.pdf
OCC (Office of the Comptroller of the Currency): BSA and Related Regulations https://www.occ.treas.gov/topics/compliance-bsa/bsa/bsa-regulations/index-bsa-regulations.html.
Study Guide for the CAMS Certification Examination (5th Edition). Tim Parkman (2012). Mastering Anti-Money Laundering and Counter-Terrorist Financing.