Change is inevitable. Software systems get upgraded; new technology gets implemented. Financial institutions should have Change Management Policies that define change, as well as establish the procedures around managing change. Changes could stem from internal sources, like policies and procedures, new products, or product updates; or they could be external changes, like new compliance rules and regulations. The FFIEC IT Examination Handbook goes into more detail and states that “large and complex institutions should have a change management policy that defines what constitutes a change and establishes minimum standards governing the change process.”
While the above statement is aimed at large and/or complex institutions, smaller institutions will be examined on their change management protocols, such as how up to date their software versions are and what controls they have in place around upgrades. While a separate test environment might not have been required by examiners in the past, it is becoming more common to see this within smaller institutions.
For internal changes that relate to updates and changes to BSA/AML and fraud software, having a separate test server can give an institution the opportunity to understand the potential impact to the way BSA professionals work, the way the systems work, and isolate issues in advance without disruption to the live production environment. Even a flawless product release or upgrade could have negative consequences on an institution if one does not understand potential implications or adjustments they should make to accommodate new features and functionality.
Without adequately measuring and examining, serious repercussions can bring down more than a single department and have lasting impacts. Institutions need to be asking internally, “What cost-effective steps can we implement to ensure every product is vetted before going live and pushed into production?”
A test environment for BSA/AML and fraud software allows you to:
- Conduct adequate above the line/below the line testing for your system parameters and other settings
- Test the optimization and reasonableness of your risk rating module
- Test client data feeds flowing into it
- Ensure no bugs or other issues with new software of upgrades to existing software enter your production environment
- Meet regulatory expectations with the FFIEC IT Examination guidelines to approve and comply with your institution’s change management policy
If you believe your institution is not currently large or complex enough to need a test environment, you must have a change control policy in place and follow it. As your institution grows, keep in mind that your change management controls will also need to be modified and grow as change occurs.