PLANNING AND DESIGNING AN EFFECTIVE AML-TRAINING PROGRAM FOR FINANCIAL INSTITUTIONS AND AUDITING ITS EFFICIENCY

Riitta Erkko

1 (19)

15.3.2019

PLANNING AND DESIGNING AN EFFECTIVE AML-TRAINING PROGRAM FOR FINANCIAL INSTITUTIONS AND AUDITING ITS EFFICIENCY

Table of Contents

I Introduction ......................................................................................................................................... 2 II Regulatory Obligations and Guidance on AML Training ............................................................... 4

AML/CFT Regulation in European Union (EU) ............................................................................... 4 The Bank Secrecy Act ..................................................................................................................... 5 Resemblances and Differences ...................................................................................................... 6 Risk-Based Approach in AML Training ........................................................................................... 7

III Basic AML/CFT Training Program ................................................................................................... 8 Training Needs Analysis—TNA ....................................................................................................... 8 Step 1: Previous Training Provisions .............................................................................................. 8 Step 2: Future Training Objectives and Planning ............................................................................ 8 Step 3: Delivery of Focused Plan .................................................................................................... 9

IV Planning and Developing an Effective AML/CFT Training Program ........................................... 9 Who to Train? Target Audience .................................................................................................. 9 What to Train? The Topics to Be Taught .................................................................................. 10 How to Train? Ways of Communication ................................................................................... 10 When to Train? Delivery Methods ............................................................................................ 11

V Audit’s Approach and Expectations for Training Program Review ........................................... 12 Fundamentals of BSA/AML Area .................................................................................................. 13 Tying Wire Between Training and the Other Pillars of BSA/AML Compliance Program .............. 14 Competency of the Auditors Regarding Appropriate Training ...................................................... 15 Developing Conclusions and Finalizing the Audit Review ............................................................ 16

VI Implementation of Audit’s Recommendations ............................................................................ 16 How to Ensure that the Requested Action Plans Will Be Executed .............................................. 16 Action Plan and Follow-up Process ............................................................................................... 17

VII Key Takeaways and Conclusions ................................................................................................ 17 Training Needs Analysis ................................................................................................................ 17 Competence Requirements for an Auditor .................................................................................... 18 AML Training is Communication ................................................................................................... 18

References ............................................................................................................................................ 19

2 (19)

15.3.2019

I Introduction

The financial industry has a core role to play in preventing money laundering and terrorist financ-

ing. Strong financial crime management practices can be considered one of the most powerful

devices against financial crime. Good practices can help identify and prevent perpetrators and

terrorists from carrying out their criminal plans.

Money laundering and terrorist financing schemes are rapidly evolving, and the pace of the tech-

nological development of new payment methods is huge. It is self-evident that most of the people

employed by financial institutions cannot be hot on criminals’ heels or keep up with technological

development, and, finally, be able to adopt that knowledge in their anti-money laundering and

counter-terrorist financing (AML/CFT) responsibilities at work. Therefore, training is an essential

component to raising awareness among an organization’s staff, concerning product and service

development’s money laundering risks, and to observing methods potentially related to money

laundering or terrorist financing in the financial industry.

Unfortunately, training tends to be easily forgotten in everyday life, although training is a regula-

tory requirement in most countries:

However, more often than not, training is the area where the purse strings are tightened when

the expenditure budget is exceeded. Trimming staff’s AML/CFT training is unwise and indicates

that the financial institution has not quite understood the value of skilled employees and their effi-

cient training as a control tool. Effective training can be considered the first, last, and best

AML/CFT tool for risk management and control.

“Obliged entities shall take measures propor-tionate to their risks, nature and size so that their employees are aware of the provisions

adopted pursuant to this Directive. Those measures shall include participation of their

employees in special ongoing training programs to help them recognize operations which may be related to money laundering or terrorist financing and to instruct them as to

how to proceed in such cases.”

EU’s 4th AML Directive

Sources: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L0849&qid=1563038972644&from=EN and https://bsaaml.ffiec.gov/docs/manual/BSA_AML_Man_2014_v2_CDDBO.pdf / Article 46 Federal Financial Institutions Examination Council: Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual 2014) / Suspicious Activity Reporting: Managing Alerts

3 (19)

15.3.2019

A robust and sound AML/CFT training program is critical to financial institutions, because it

shows that the organization understands and manages its AML/CFT risks.

The following chart1 presents comments or criticism from auditors or examiners in many areas of

AML/CFT processes related to training:

It would be interesting to know which share of criticism in areas such as customer onboarding

and account/activity monitoring could have been avoided if training were delivered to appropriate

personnel. As far as I am concerned, targeted or tailored training would certainly have diminished

figures above.

My objective with this white paper is to help management and staff in banks, or any other finan-

cial institutions, understand that roles and responsibilities of various types in the organization

1 Maleka Ali

Source: Maleka Ali (CAMS Audit—White Paper): Auditing for Effective Training

4 (19)

15.3.2019

(front line, investigators, analysts, compliance, IT, audit, senior management, etc.) require differ-

ent kinds of training. No more “tick-the-box” exercises. It is important that everybody understands

his/her own role in the AML/CFT process in different units or levels of an organization.

Designing training programs and action plans does not ensure efficiency and effectiveness of

training. Therefore, in this white paper, I aim to outline the roles and expectations of audits, and

the means of supporting financial institutions in a proactive way while auditing the training frame-

work. Audits can strengthen the importance of AML training as an extensive control tool within

the framework of financial institutions.

Finally, an interesting point of view concerning training programs will be the question of auditors

knowledgeable about those AML/CFT matters, which are subject matters of their reviews.

My target audience is compliance officers and other personnel in financial institutions who design

and deliver AML training programs, and also professionals in business lines, auditing, and senior

management. I hope they come to understand the value of AML training, and their own roles as

controllers, when putting lessons learned into practice.

II Regulatory Obligations and Guidance on AML Training

As my legal background in AML/CFT issues is in EU regulation, I will compare the 4th and 5th

AML Directives (AMLD) of the European Union and the BSA/AML Act of the United States to

highlight similarities and differences between the frameworks of the two legislations.

AML/CFT Regulation in European Union (EU)

2018 was a revolutionary year in Europe regarding AML/CFT compliance lapses. Instead of U.S.-

based financial institutions, the actors of many AML/CFT breaches have been found in Europe

(Danske Bank, ING Bank, N.V. ABLV Bank, and Pilatus Bank). It seems that Europe has faced a

major crisis with money laundering, due to several money laundering scandals last year. In Eu-

rope, AML/CFT regulation is based on the 4th AML Directive with the update of the 5th AML Di-

rective, which each EU member country must implement in their national legislation.

In September 2018, the EU Commission announced the strengthening of AML supervision. The

target is to concentrate AML powers in relation to the financial sector within the European Bank-

ing Authority (EBA) and strengthen its mandate to ensure that relevant authorities effectively and

consistently supervise risks of money laundering. All relevant authorities should cooperate and

share information. This means the EBA will issue regulations and guidelines to collaborate and

support national competent authorities of EU member countries, and oversee them as well.

According to AMLD national AML/CFT legislation of the EU, member countries must have in

place policies, controls, and procedures to effectively mitigate and manage the risks of money

laundering and terrorist financing identified at the level of the Union, the member state, and the

obliged entity.

The policies, controls, and procedures should cover at least the development of internal policies,

controls, and procedures, including model risk management practices, customer due diligence,

reporting, record keeping, and internal controls. Financial institutions’ staff must participate in

5 (19)

15.3.2019

special ongoing training programs to recognize operations that may be related to money launder-

ing or terrorist financing.

Regarding the size and nature of the business, the policies, controls, and procedures shall also

include, where appropriate, the appointment of a compliance officer at the management level,

and an independent audit function to test the internal policies, controls, and procedures.2

In line with the FATF’s standards, the AMLD puts the risk-based approach at the center of Eu-

rope’s AML/CFT regime. Risk assessments are considered an essential means of risk manage-

ment. The documented risk assessments have been regulatory requirements only after the

AMLD entered into force in 2015. The role of internal or external audits in executing independent

testing, alone or in cooperation with another service provider, has not been highlighted in AMLD,

either.

Case law and enforcement actions on a national level, regarding AML/CFT issues, have been

infrequent. Perhaps the situation will change as the role of the European Banking Authority as

a regulator and a supporter of national competent authorities, grows.

The Bank Secrecy Act

The Bank Secrecy Act (BSA) has been in force since 1970. The BSA is sometimes referred to as

an AML law, or jointly as BSA/AML. BSA requires financial institutions in the U.S. to assist U.S.

government agencies in detecting and preventing money laundering.

BSA/AML regulation requires every U.S. national bank and savings association to have a written,

board-approved program that is reasonably designed to assure and monitor compliance with the

BSA. The program must, at a minimum:

2 4th AMLD

6 (19)

15.3.2019

provide for a system of internal controls to assure ongoing compliance;

provide for independent testing for compliance;

designate an individual responsible for coordinating and monitoring day-to-day

compliance; and

provide training for appropriate personnel.

In addition, every bank must adopt a customer identification program as part of its BSA compli-

ance program.3

According to the FFIEC BSA/AML Examination Manual, financial institutions’ BSA/AML compli-

ance program must be documented, approved by boards of directors, and noted in board

minutes. A bank must have a BSA/AML compliance program commensurate with its respective

BSA/AML risk profile.

The FFIEC BSA/AML Examination Manual advises actors in the financial industry how to apply

BSA/AML and regulations. The manual is of great help when planning and implementing policies

and procedures in practice.

Resemblances and Differences

The U.S. has a much longer tradition regarding AML/CFT issues than the EU does. The Finan-

cial Crimes Enforcement Network acts as the designated administrator of the Bank Secrecy Act

(BSA). The BSA was established in 1970 and has become one of the most important tools in the

fight against money laundering.4 In Europe, AML legislation did not enter into force until 1991.

The first AMLD in 1991 was the basic package, requiring EU member countries to implement

laws centered on FATF recommendations. Today, the 4th and 5th AML Directives have repealed

the previous directives. Directives are not applicable directly in EU member states. Directives

must be implemented by the end of a transition period, usually 18–24 months, mentioned in the

directive.

The common feature for both regulations is the risk-based approach. But in the U.S., the tradition

of applying a risk-based approach has a longer history than in Europe. Since 2005, depository

financial institutions have been required to perform and document a written BSA/AML risk as-

sessment, but in the EU, the requirement of risk assessment documentation was entered into

AMLD only in 2015. Hence, the requirement of written AML risk assessment is quite new among

EU member countries.

In general, the AML framework looks quite same in the U.S. and the EU: both regulations require

entities to have internal policies, controls, and procedures; CDD-process, SAR-reporting, and in-

ternal controls in place; and training for staff.

However, EU’s AMLD and EBA guidelines are lacking adequate practical advice, for example,

regarding training. Therefore, I consider the FFIEC BSA/AML Examination Manual an invaluable

tool both for authorities and financial institutions when striving to be compliant with BSA/AML reg-

ulation. That kind of manual would be of great value for obliged entities in EU member countries,

as well.

3 OCC: BSA and Related Regulations 4 FinCEN: History of Anti-Money Laundering Laws

7 (19)

15.3.2019

Risk-Based Approach in AML Training

Risk-based approach (“RBA”) is a general global requirement documented as FATF’s first rec-

ommendation. Risk-based approach should be used when assessing money laundering/terrorist

financing (ML/TF) risks to ensure that measures used to mitigate or prevent those risks are com-

mensurate with the risks identified. Risk-based approach is the foundation to the efficient alloca-

tion of resources.

In practice, risk-based approach means that financial institutions should apply 90 percent of

available resources toward the 10 percent of their business. This constitutes the most serious

risk.5

Risk-based approach in AML/CFT training requires that financial institutions have documented

an ongoing employee training program. In a carefully designed AML/CFT training program, the

focus is addressed to key risks.

Financial institutions’ risk assessment results are a good starting point to create prioritized train-

ing. The key issues for training can be found within AML/CFT threat, but also observations on

lacking skills and expertise in certain lines of business or in the process of execution. In such a

way, the risk-based approach will be applied almost automatically. Training to address lower or

minor risks can be planned thereafter in order of importance.

Well-organized training is not “just” a regulatory requirement. Usually, correspondent banks and

investors find it necessary to be informed concerning (respondent) bank’s AML/CFT controls,

and this shows that the risks are understood and managed in a proper way.

5 Tim Parkman

8 (19)

15.3.2019

III Basic AML/CFT Training Program

Training is an essential part of financial institutions’ AML/CFT effort. It helps to generate a culture

of awareness among staff. The FFIEC BSA/AML Examination Manual sets forth the minimum

standards of training:

Training must be provided for all personnel whose duties require knowledge of

the BSA.

New hires should be given training at once in orientation phase.

Employees’ specific responsibilities require tailored training.

Training should encompass information related to applicable business lines.

The BSA/AML compliance officer should receive periodic training that is relevant.

The board of directors and senior management should be trained concerning

changes and new developments in the BSA.

Training should be ongoing and incorporate current developments and changes to the BSA and

any related regulations. Changes to internal policies, procedures, processes, and monitoring sys-

tems should also be covered during training. Financial institutions should document their training

programs. Training and testing materials, the dates of training sessions, and attendance records

should be documented and saved for reviews afterwards.6

Training Needs Analysis—TNA

When thinking about the recent money laundering incidents, it must be obvious that the basic

training plan cannot be considered adequate to support the staff and the organization in

AML/CFT efforts. Training is a useful tool to generate the culture of awareness among the em-

ployees, senior management, and the board. Knowing the signs of potential money laundering

and terrorist financing is undoubtedly one of the most important capabilities that staff within finan-

cial organizations should have. Accordingly, thorough training and awareness programs help en-

sure that staff know what they are looking for in a suspicious transaction.7

TNA is a systematic approach that helps assess training needs within the organization and there-

after sets training priorities. The TNA process has three steps.

Step 1: Previous Training Provisions

In the first phase, work out what training has already been completed by using several resources

(data from training and testing materials, AML/CFT risk assessment and analyses, internal audit

reports, etc.). That information helps reveal what the employees in business lines and other func-

tions already know, as well as future training needs.

Step 2: Future Training Objectives and Planning

In the second phase, the training needs must be established based on information gathered dur-

ing the previous phase, regarding employees’ skills and knowledge. In this phase, it is reasona-

ble to find out the upcoming reviews and inspections of regulators and correspondent banks.

Training regarding an organization’s internal policies, procedures, and processes is necessary in

6 FFIEC BSA/AML Examination Manual 2014 7 Tim Parkman

9 (19)

15.3.2019

case the regulation has changed, and the organization’s own policies and procedures have been

updated.

In this phase, the training goals must be determined, and the training plan for the next training

period must be approved. However, an efficient AML/CFT training program does not only meet

the standards set out by the lawmaker and regulator. Efficient training should also seize staff’s

attention to suspicious activity and describe each responsibility in AML/CFT processes in an un-

derstandable way. Therefore, to clarify the training objectives, it would be recommendable to

pose following questions8:

Whom to train?

What to train?

How to train?

When to train?

Step 3: Delivery of Focused Plan

Having worked out what training has already been done and what training needs to be done, the

list of training requirements can be drawn up by mapping the existing training provisions to cur-

rent and future provisions. The training program content shall contribute to achieving the agreed

learning objectives.

Organizations that apply TNA process can show commitment to their AML compliance culture. It

also helps employees understand and adhere to the organization’s AML/CFT compliance re-

quirements that apply to their daily activities.

IV Planning and Developing an Effective AML/CFT Training Program

The first step in designing an effective training program is to identify the target audience. Most

areas of the institution should receive AML training, and the target audience should include most

of the employees.9 An effective AML/CFT training must be adequately planned to address mate-

rial needs in the organization. Training should be designed with the right mix of general educa-

tion and targeted information. Effective and efficient training begins with TNA.

Whom to Train? Target Audience

At a minimum, the bank’s training program must provide training for all personnel whose duties

require knowledge of the BSA. The training should be tailored to the person’s specific responsi-

bilities. In addition, an overview of the BSA/AML requirements typically should be given to new

staff during employee orientation.

The BSA compliance officer should receive periodic training that is relevant and appropriate,

given changes to regulatory requirements as well as the activities and overall BSA/AML risk pro-

file of the bank.

The board of directors and senior management should be informed of changes and new develop-

ments in the BSA, but the board of directors may not require the same degree of training as

8 Study Guide for the CAMS Certification Examination, 5th Edition 9 Study Guide for the CAMS Certification Examination, 5th Edition

10 (19)

15.3.2019

banking operations personnel; they need to understand the importance of BSA/AML regulatory

requirements, the ramifications of noncompliance, and the risks posed to the bank. Without a

general understanding of the BSA, the board of directors cannot adequately provide BSA/AML

oversight.10

What to Train? The Topics to Be Taught

Well-planned training should satisfy legal, regulatory, and policy requirements as well as support

staff in understanding their roles and responsibilities. The content and frequency of the training

must comport with business lines, as well as functional and regulatory requirements. The training

must cover topics of general applicability, as well as local and business-specific requirements,

and address how these requirements apply to specific job functions and responsibilities.11

Effective training should present real-life money laundering schemes, preferably cases that have

occurred at the institution or at similar institutions, including, where applicable, how the pattern of

activity was first detected, its impact on the institution, and its ultimate resolution.12

The training program should reinforce the importance that the board and senior management

place on the bank’s compliance with the BSA and ensure that all employees understand their

role in maintaining an effective BSA/AML compliance program.13 Boards of directors and senior

management should understand their responsibilities regarding the institution’s BSA/AML pro-

gram. Better understanding of their responsibilities can be derived through training modules.

How to Train? Ways of Communication

Different kinds of AML/CFT issues might need various forms of communication to the staff. When

those issues are identified, someone must decide on the best way to communicate them. Train-

ing is communication. Sometimes a memo or e-mail message will accomplish what is needed

without formal, in-person training. New hires should receive training different from that given to

veteran employees.

Determine the needs that should be addressed. There may be issues uncovered by audits or ex-

ams, or created by changes to systems, products, or regulations.

“One size fits all” training does not work anymore. Financial institutions are not alike, and differ-

ences in business lines, customer bases, products and services, regions, sizes, and volumes

must affect organizations’ training plans and their deliveries. A portfolio of targeted training con-

tent reflects the maturity of financial institutions’ educational strategy, meaning organizations’ un-

derstanding of everyone’s roles and their exposure to the ML/TF risks.

Targeted training can consist of different layers, such as:

a) a shared module with key regulatory/corporate messages;

b) a suite of targeted trainings for specific functions; and

10 FFIEC BSA/AML Examination Manual 2014 11 Citi Transaction Banking Academy for FI Professionals – AML training 12 Study Guide for the CAMS Certification Examination, 5th Edition 13 FFIEC BSA/AML Examination Manual 2014

11 (19)

15.3.2019

c) an evolutionary awareness training package.14

When to Train? Delivery Methods

Modern training takes place outside the class-

room. Beyond classroom training, an organiza-

tion’s AML/CFT training program is limited only

by resources and needs. Training sessions can

be system-enforced when the system delivers

the necessary credentials to access on the

screen, or when “training messages” pop up on

the screen while logging in. Employee-friendly

technology training is different webinars, which

are convenient methods for remote staff or em-

ployees working non-traditional hours, as well.15

Digital technologies have revolutionized AML

training administration. Training and testing ma-

terials, the dates of training sessions, attend-

ance records, and training completion infor-

mation can be maintained by using digital tech-

nology.

Below is an example of course tracking for the e-learning process:

If staff have not completed by the required deadline, they will receive an overdue notification, copied to managers, and an e-mail every three days for a period of 30 days after the completion deadline. Managers will be cc’d (GLMS = Global Learn ing Management System). The automated overdue e-mails will cease after the further 30 days, at which point overdue staff will be incorporated within the formal escalation process.

14 Fabrice Borsello 15 Fabrice Borsello

12 (19)

15.3.2019

Statistics on completion rates of training sessions can be provided monthly in

governance forums attended by all business lines and compliance and corporate

functions, to ensure awareness and oversight by regional senior management. At

the end of each quarter, a list of names of overdue learners is distributed to facili-

tate action by senior management for overdue learners in their areas.16

However, it is essential when planning training delivery methods that the wide range of media

and training tools is chosen depending upon the subject matter and audience. The roles and re-

sponsibilities of senior management, front-line relationship managers, and SAR investigators dif-

fer so much that training for these groups must be delivered appropriately.

V Audit’s Approach and Expectations for Training Program Review

In accordance with the FFIEC BSA/AML Exam Manual, the task of auditors is to determine

whether the following elements are adequately addressed in the training program and materials

of a bank:

The importance the board of directors and senior management places on ongo-

ing education, training, and compliance

Employee accountability for ensuring BSA compliance

Comprehensiveness of training, considering specific risks of individual business

lines

Training of personnel from all applicable areas of the bank

Frequency of training

Documentation of attendance records and training materials

Coverage of bank policies, procedures, processes, and new rules and regulations

Coverage of different forms of money laundering and terrorist financing as it re-

lates to identification and examples of suspicious activity

Penalties for noncompliance with internal policies and regulatory requirements

16 Citi Transaction Banking Academy for FI Professionals – AML training

13 (19)

15.3.2019

Fundamentals of BSA/AML Area

In addition to elements listed before audit’s approach and expectations, the following subject

matter should be considered17:

Planning and Scoping

The planning and scoping process should be completed before entering the bank. During the

scoping and planning process, it is useful to discuss BSA/AML matters with bank management,

including the BSA/AML compliance officer and other key stakeholders. Depending on the finan-

cial institution’s business lines and activities, it is advisable to acquaint oneself with business op-

erations and expectations. Reviewing the results of prior internal audits, regulatory exams and

other external program assessments on AML training or internal controls can reveal issues that

should be taken into the audit scope.18

BSA/AML Risk Assessment

Evaluating the BSA/AML risk assessment should be part of scoping and planning the examina-

tion, and the inclusion of a section on risk assessment in the manual does not mean the two pro-

cesses are separate. Rather, risk assessment has been given its own section to emphasize its

importance in the examination process and in the bank’s design of effective risk-based con-

trols.19

In reviewing the risk assessment during the scoping and planning process, the auditor should de-

termine whether management has considered all products, services, customers, entities, trans-

actions, and geographic locations, and whether management’s detailed analysis within these

specific risk categories was adequate. The financial institution’s BSA/AML compliance program

must be reviewed with sufficient knowledge of the bank’s BSA/AML risks to determine whether

the BSA/AML compliance program is adequate and provides the controls necessary to mitigate

risks.20

Information regarding the financial institution’s training program and results should be thoroughly

detailed in the risk assessment. Among other things, the information should include an outline of

training topics and testing materials in the annual BSA/AML training, responsibilities for organiz-

ing the training program, types of training, methods of assigning and tracing the training courses,

training information concerning BSA/AML compliance officer, senior management and board,

and new hires, etc.

When the scope of the audit is planned to focus on training, the information mentioned may indi-

cate something about the quality of the training program, deficiencies in the training content, or

personnel coverage.

BSA/AML Compliance Program

17 FFIEC BSA/AML Examination Manual 2014 18 ACAMS Advanced Certification, Live Program 19 FFIEC BSA/AML Examination Manual 2014 20 FFIEC BSA/AML Examination Manual 2014

14 (19)

15.3.2019

The BSA/AML compliance program must be written, approved by the board of directors, and

noted in the board minutes. A bank must have a BSA/AML compliance program commensurate

with its respective BSA/AML risk profile. Furthermore, the BSA/AML compliance program must

be fully implemented and reasonably designed to meet the BSA requirements. Policy statements

alone are not sufficient; practices must coincide with the bank’s written policies, procedures, and

processes.

The BSA/AML compliance program must contain the following required minimum elements: 1)

system of internal controls; 2) independent testing of BSA compliance; 3) BSA compliance of-

ficer; and 4) training.

In addition, financial institutions must have a written Customer Information Program (CIP) incor-

porated into the bank’s BSA/AML compliance program. The CIP is intended to enable the bank

to form a reasonable belief that it knows the identity of each customer. CIP should be appropriate

for the size and type of business of the financial institution.21

When the audit is particularly concentrated on training issues, the first thing is to ensure that the

training has been provided to appropriate personnel. The concerns identified in the risk assess-

ment should be adequately addressed in the BSA/AML compliance program. From the audit

view, this means that in those business lines and operations, where higher risk has been identi-

fied in the risk assessment, appropriate policies and procedures should have been developed to

monitor and control those risks.22 Of course, audits should look through the BSA/AML compli-

ance program to find out whether those high-risk areas are provided with targeted qualified train-

ing.

Tying Wire Between Training and the Other Pillars of BSA/AML Compliance Program

Training can be considered an essential control when managing ML/TF risks. In BSA/AML, com-

pliance program training is one of the four minimum elements or pillars of the program. There-

fore, it has been given a remarkable importance in regulation. However, training tends to be eas-

ily ignored when identifying and assessing ML/TF risks and their controls, although that should

not be the case.

Training is incorporated in the four pillars of the BSA/AML compliance program. Internal controls

of a financial institution should include policies, procedures, and processes that train employees

to be aware of their responsibilities under the BSA regulations and internal policy guidelines. The

independent testing should address training, including its comprehensiveness, accuracy of mate-

rials, training schedule, and attendance tracking. Finally, the BSA/AML compliance pillar de-

mands competency of the BSA/AML compliance officer. Competency can be gained on proper

training.

On page 2 of this presentation, there is a chart with comments and criticism of auditors and ex-

aminers concerning AML/CFT processes that relate to training. The level of staff knowledge and

understanding can be improved in most of the areas referenced, such as the completion of

SARs, suspicious activity monitoring, new account documentation, and following bank policy and

21 FFIEC BSA/AML Examination Manual 2014 22 Donna Davidek

15 (19)

15.3.2019

procedures. Those areas that lack training might have been discovered while auditing other pil-

lars than training, but the key to remediation is training.

Enforcement Actions May Cite Training Deficiency as Follows:

“require ongoing training of appropriate personnel”/UBS Financial Services Inc.

“BSA/AML personnel required significant training”/Gibraltar Private Bank and Trust

Company

“appropriate training to all staff regarding BSA/AML requirements”/Commerzbank

It is noteworthy that many deficiencies concerning training are noted in enforcement actions, but

there is no reference to training:

“failed to comply with the business’ policies and statutory requirements regarding

customer due diligence (CDD) and enhanced due diligence (EDD)”/Zions First

National Bank

“SARs filed…were not adequate and of poor quality”/TCF National Bank

“consequently, failed to timely report suspicious activities”/First National Commu-

nity Bank

Based on the above-mentioned, training should be treated as the first, last, and best control, and

it should not be undervalued.

Competency of the Auditors Regarding Appropriate Training

Auditors have an enormous field of work, which requires comprehensive knowledge and skills of

BSA/AML requirements. When auditing the BSA/AML compliance program’s training pillar, the

requirements to auditors’ competency should cover, among other things, the financial institution’s

policies, procedures, processes, new rules and regulations, understanding of specific risks of in-

dividual business lines, suspicious activity monitoring and SAR process from alerts to SAR com-

pletion, filing, and several IT Systems and applications, etc. That is because auditors should be

able to assess the appropriateness of training delivered to personnel in various duties in the or-

ganization.

It goes without saying that it is not possible for anyone to manage a whole complex of issues

such as BSA/AML regulation, information systems, or business-wide detailed processes in prac-

tice. Auditors definitely are subject matter experts to a certain point, but within the financial insti-

tution’s compliance and audit departments, and financial crime and IT units, specialised general-

ists must exist who are responsible and up-to-date in their knowledge of all the necessary infor-

mation concerning laws, regulations, IT systems, and processes. It is important for auditors to be

able to rely on these experts without giving up one’s integrity, of course.23

When multiple departments in large financial institutions are responsible for researching unusual

activities, the lines of communication between the departments must remain open. This allows

organizations with bifurcated processes to gain efficiencies by sharing information.24

23 Kathleen O. Smith 24 FFIEC BSA/AML Examination Manual 2014

16 (19)

15.3.2019

Developing Conclusions and Finalizing the Audit Review

Audit /Independent testing should, at a minimum, include an evaluation of the overall adequacy

and effectiveness of the BSA/AML compliance program, including policies, procedures, and pro-

cesses. Typically, this evaluation includes an explicit statement about the BSA/AML compliance

program’s overall adequacy and effectiveness and compliance with applicable regulatory require-

ments. At the very least, the audit should contain sufficient information for the reviewer (e.g., an

examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the

BSA/AML compliance program.25

In this final phase of audits, all findings from the audit procedures completed must be assembled.

Auditors should develop and document conclusions about the BSA/AML compliance program’s

adequacy, discuss preliminary conclusions with financial institution’s management, and present

the conclusions in a written format.26 The severity and types of findings, and the ground for defi-

ciencies, should be discussed with management, and auditors may allow a remedy of the viola-

tion or deficiency during or before finalizing the audit.

When audit has been focused on the training, one of the four elements of BSA/AML program, the

final audit report should also provide a review of the training program of the financial institution

with a conclusion as to whether personnel are sufficiently trained to adhere to legal regulatory

and policy requirements.27

VI Implementation of Audit’s Recommendations

At the end of an audit, review comments and proposed recommendations should be built into the

financial institution’s training program. Quite often, competing priorities and other factors may

prevent implementing the agreed actions in the agreed timeline. The purpose of follow-up is to

ensure that the actions have been implemented in a timely manner, and that they have ad-

dressed the issue.

How to Ensure That the Requested Action Plans Will Be Executed

For the first, it could be alleged that senior management is responsible for the implementation of

recommendations. Very often, for example, when the recommendations have been addressed to

training programs, the action plans (or parts of them) must be executed in different areas of the

organization.

Carrying out the action plans requires cooperation between business, compliance, and audit.

The implementation process involves activity in each line of defense.

Business managers in the first line of defense are responsible for risk mitigation and control

within the business function that generates the risks, in particular through policies and proce-

dures, training, and line management oversight. Compliance in the second line of defense is an

independent oversight function, and compliance function can provide business lines with legal

support during execution of the action plan.

25 FFIEC BSA/AML Examination Manual 2014 26 FFIEC BSA/AML Examination Manual 2014 27 FFIEC BSA/AML Examination Manual 2014

17 (19)

15.3.2019

Finally, audit as the third line of defense can validate the process for its part. Audit may help the

organization track the implementation and periodically follow up to see that risks are being ade-

quately managed.28

Action Plan and Follow-up Process29

The degree of follow-up activity may be influenced by the size and nature of the risks and defi-

ciencies identified and the extent of the action plan. Of course, it is necessary to follow up the im-

plementation to ensure action plans effectively remedy identified deficiencies, but organizations

should assess and choose suitable follow-up processes and tools, themselves.

In general, the follow-up process helps to determine the effectiveness of action plans. The follow-

up reports highlight whether recommendations or action plans are pending, in progress, or com-

plete in the form of a dashboard for senior management and committee use.

It is essential for organizations to have a good understanding of their action plans and their exe-

cution. Discrepancy between reported risk responses and the actual status could mislead those

who rely on the information. Audit, compliance, and business line managers work collaboratively

to actively report and evidence where recommendations have been addressed. This will help re-

duce the amount of objective follow-up work.

Finally, follow-up should consider whether actions have been implemented and whether the iden-

tified deficiencies have been adequately corrected.

VII Key Takeaways and Conclusions

Risk-based approach is the cornerstone of AML/CFT regulation. Risk-based approach must be

kept in mind not only when assessing the significance and likelihood of AML/CFT threats, but

also when assessing the effectiveness and efficiency of AML controls, training included. By ap-

plying risk-based approach when developing and organizing AML training for staff, the financial

institutions can show their regulators, supervisors, correspondents, investors, and other stake-

holders that the training is focused on risks that the financial institution is confronting.

Training Needs Analysis

In order to convince those above-mentioned parties, the financial institution should create a com-

prehensive training program where the key risks are addressed by prioritized training. Training

concerning risks perceived as minor or less important should be addressed as well, but the train-

ing can be provided later.

The best way for a financial institution to demonstrate to those parties that it really understands

the substance of risk-based approach is applying a “training needs analysis” system (TNA). A

TNA system helps identify training needs within the organization, and thereafter set training prior-

ities. A TNA system goes ahead as follows:

monitoring the skills and knowledge of the staff;

monitoring the upcoming reviews and inspections of regulators and correspondent

28 Chartered Institute of Internal Auditors 29 Chartered Institute of Internal Auditors

18 (19)

15.3.2019

banks and training regarding an organization’s internal policies and procedures in

case of the regulatory changes; and

drawing up the training needs by mapping the existing training provisions to current

and future provisions.

By using TNA when developing an AML training plan, and documenting the proceeding with a

three-step process, financial institutions can show outsiders that not only has the appropriate

AML training been undertaken, but also that the training efforts have been targeted effectively by

starting from key risks and continuing to minor risks.

Competence Requirements for an Auditor

An independent auditor or audit function should be able to assess and test the efficiency and ef-

fectiveness of an AML training program.

That means the auditors must have quite exhaustive expertise of AML areas on business-wide

topics (BSA/AML compliance programs, AML risk assessment, CIP, CDD, suspicious activity

monitoring and reporting, etc.); higher-risk topics (funds transfers, private banking, correspondent

banking, MSBs, PEPs, etc.); and special topics (various systems and applications, such as

KYC/CIP systems, SAR reporting systems, AML Data Control systems, etc.). In addition, auditors

should possess auditing experience of those areas to properly manage their duties and responsi-

bilities.

It is evident that no one can manage so widely, or without gaps, all aspects of AML areas. Of

course, auditors should have great knowledge and be thoroughly trained on all areas of

BSA/AML, but auditors’ competency and expertise should most nearly resemble the AML gener-

alist with auditing expertise. That is not to say that the auditor could not be specialized in certain

AML areas, but in financial institutions, there must reside subject matter experts and specialized

generalists who have up-to-date knowledge and skills regarding regulation, policies, procedures,

IT systems, products and services, etc. These specialists with deep expertise can be of great

support to auditors who can concentrate on their auditing tasks but get detailed AML area infor-

mation at once if needed.

AML Training Is Communication

AML training sessions can create interaction and help employees understand and adhere to the

organization’s AML/CFT compliance requirements that apply to daily activities. A robust and

sound AML/CFT training program is critical to financial institutions; because it shows that, the or-

ganization understands and manages its AML/CFT risks. Therefore, an AML training program

can be considered a financial institution’s first, last, and best control when combating money

laundering risks.

As stated, it is important that the lines of communication remain open in the organization. This

allows financial institutions with complicated processes to improve efficiency by sharing infor-

mation and reducing redundancies.

Finally, organizations that have developed comprehensive AML training programs that are up-

dated regularly can also show commitment to AML compliance culture.

19 (19)

15.3.2019

References

ACAMS Advanced Certification. Live Program (5–7 November 2018). Chartered Institute of Internal Auditors (CIIA): Following up recommendations/management ac-tions (3 March 2018). Citi Transaction Banking Academy for FI Professionals—AML training (3–4 May 2016). Directive (EU) 2015/849 (i.e. 4th AMLD) and 2018/843 (i.e. 5th AMLD) of the European Parlia-ment and of the Council (20 May 2015 and 18 May 2018). Donna Davidek: Auditing and training BSA/AML Risk Assessment http://www.acams.org/wp-content/uploads/2015/08/Auditing-Updating-an-AML-Risk-Assessment-Donna-Da-videk.pdf

Fabrice Borsello: Making Your Organization’s AML/CFT Training More Efficient –AML-Training (16

Feb 2017).

FFIEC BSA/AML Examination Manual 2014 (Federal Financial Institutions Examination Council): Bank Secrecy Act/Anti-Money Laundering Examination Manual. FinCEN (Financial Crimes Enforcement Network): History of Anti-Money Laundering Laws https://www.fincen.gov/history-anti-money-laundering-laws.

Kathleen O. Smith (CAMS Audit - White Paper): AIMing for Excellence. http://www.acams.org/wp-content/uploads/2015/08/AIMing-for-Excellence-Kathleen-O-Smith.pdf

Maleka Ali (CAMS Audit—White Paper): Auditing for Effective Training. http://www.acams.org/wp-content/uploads/2015/08/Auditing-for-Effective-Training-Maleka-Ali.pdf

OCC (Office of the Comptroller of the Currency): BSA and Related Regulations https://www.occ.treas.gov/topics/compliance-bsa/bsa/bsa-regulations/index-bsa-regulations.html.

Study Guide for the CAMS Certification Examination (5th Edition). Tim Parkman (2012). Mastering Anti-Money Laundering and Counter-Terrorist Financing.