This post, originally published Jan. 3, 2022, has been updated.
AML quality control: Strong QC can prevent BSA violations
Tips to strengthen financial institution AML/CFT quality control
Make sure your AML/CFT program meets program expectations with a risk-focused emphasis on controlling quality.
Have you combined your BSA & Fraud Departments, or are you considering it? You might like this webinar.
Is your AML quality control doing its job?
Effective anti-money laundering (AML) programs require quality control.
Indeed, the following civil penalties within the last year are stark reminders of the importance of AML quality control and the consequences of failing to ensure AML program expectations are met:
- $8 million in December 2021 against a community bank
- $140 million in March against a federal savings bank,
- $7 million against an international broker in May
- $6 million against another federal savings bank in September
Despite having an AML program and AML monitoring, each institution was cited for Bank Secrecy Act (BSA) violations, including violations related to failing to file timely suspicious activity reports (SARs), according to enforcement actions by regulators.
AML quality control is particularly essential as more financial institutions combine AML/BSA and fraud programs. In Abrigo’s 2021 BSA/AML and Fraud Staff Survey, two-thirds of respondents said their financial institution’s BSA department also covers fraud. Based on survey respondents, combining fraud and AML departments is more common among smaller institutions, which is perhaps unsurprising due to limited resources. Sound quality control can ensure compliance and prevent money laundering and fraud as banks and credit unions continue to blur the lines between the two areas.
Ensuring program requirements are met
The procedures that financial institutions develop for their suspicious activity monitoring programs are designed “in a way to make sure that you're adhering to the regs and running a tight ship,” said Josh Hawkins, Director of Abrigo’s Financial Crimes Investigation Unit. “What the QC can do is come in behind and ensure that the intended outcomes are being achieved by the activities of your institution’s procedures.”
Regulators expect financial institutions to maintain an AML quality control program, even if one is not explicitly mandated, he noted. In fact, if regulators are scrutinizing your quality control, it’s likely because they’re finding other problems with your AML program, Hawkins said.
That seems to be the case with CommunityBank of Texas. Understaffing and other inadequate resources for the AML compliance office between 2015 and 2019 played a role in FinCEN’s decision to impose the fine, according to the consent order.
But one point FinCEN made in the enforcement action was that three BSA analysts reviewing case alerts regularly provided quality control review for one another, yet they each reviewed an average of 100 alerts a day.
That type of volume “meant that BSA analysts often did not review supporting documents (cash deposit slips, wire transcripts, check images, etc.), although all of this information was readily available,” the consent order said.
In other words, despite an AML quality control program, understaffing issues thwarted the ability to ensure BSA/AML program goals were being met.
Best practices of AML quality control
How can financial institutions develop strong quality control?
If staffing is an issue impacting the program, an AML staffing assessment might be a good place to start, given the regulatory emphasis on institutions having a strong culture of compliance. An AML staffing assessment can:
- uncover bottlenecks in processes that are costing staff valuable time
- highlight the possible need for short- or long-term assistance to clear backlogs, or
- make a case for adding more people when the workload has grown beyond the current staff level.
Risk-based and written QC
Above all, quality control processes should be tailored to the institution’s risks, just as all aspects of an institution’s AML program should be risk-based.
In addition, BSA Officers should document quality control policies and procedures to ensure they are communicated and followed by front-line staff.
Hawkins said that BSA/AML QC policies, procedures, and results should be well-documented and also based on the institution’s unique fingerprint. For example, reviewing alerts is a major part of the AML program, so an AML team’s alerts will certainly receive scrutiny. However, the details of the quality control review will depend on several factors, such as the employee. A new employee might receive 100% QC examination of their work reviewing alerts during and soon after training. But quality control reviews could be lowered to 5% to 10% of the work on an ongoing basis once the expected quality target is achieved and maintained. An employee with recent quality issues might need to have a higher percentage of alerts reviewed for a period of time until they lower their error rates.
Quality control programs should typically review a higher share of cases on an ongoing basis than alerts due to the more complex due diligence required to investigate cases, Hawkins said. SARs typically go through additional due diligence, such as a SARs Committee and the BSA Officer, before being filed to FinCEN, which provides inherent quality control for those investigations, Hawkins said.
The criteria used to select alerts, cases, or Enhanced Due Diligence reviews for review might vary by financial institution. Among the risk-based criteria frequently used for QC reviews:
- the reason for the alert
- a certain occupation or business type
- specific transaction amounts or ranges
- specific sources/uses of funds
AML documentation: controlling quality
An essential component of quality control is reviewing documentation tied to investigations to ensure it supports the disposition of the investigation or analysis. The resolution should be clear and decisive, and documentation should support the reasoning behind the disposition (either clearing or escalating) of the alert or case. BSA/AML software can automate documentation behind decisions, so it can contribute to compliant programs.
“In many cases, if a financial institution is understaffed and having difficulty keeping up, things start to slip, including their documentation,” Hawkins said. However, “You want to be able to look at an alert one month later and say, ‘I see why they cleared it.’ A note that just says, ‘Reviewed it; nothing suspicious’ – that’s not sufficient.”
Similarly, documentation for customer due diligence (CDD), 314(a) and 314(b) requests and responses, beneficial ownership information, and Office of Foreign Asset Control (OFAC) and Section 311 searches should be reviewed for completeness.
Timeliness important for QC policies, procedures
Quality control policies and procedures should also address the timeliness of the financial institution’s AML reporting. Hawkins recommends examining how long it’s taking staff to file Currency Transaction Reports (CTRs) and SARs, including renewals for continuing activity. Financial institutions have 15 calendar days from the reported transaction to file a CTR and must file an initial SAR within 30 days of an institution determining one should be filed.
Deadlines for timely SAR filings highlight the difficult balancing act required of BSA Officers, especially in smaller institutions where the same staff performing work on alerts, cases, and SARs are also performing quality control reviews.
“You don’t want quality control to supersede the regs,” Hawkins said. “But what you don't want to happen is to be 6 to 10 months behind on your QC either.” Ideally, quality control should occur the month after work is performed, he added.
Again, the frequency of QC reviews should be risk-based. For example, investigations tied to higher-risk activities might need to be reviewed for quality control more frequently, perhaps weekly.
Quality control can head off trouble down the road for BSA/AML and fraud departments. Taking the time to establish a QC program, document it, and execute it on an ongoing basis can ensure that program objectives are being met, Hawkins said.
“Trust but verify,” he said.
Building or maintaining a robust AML program can seem daunting, but it doesn't have to be. If your institution needs assistance in enhancing its program, remediation assistance is available through BSA/AML consulting and advisory services.