180 likes | 306 Views
Compliance System Validation - An Audit Based Approach December 2012. Current Challenges. Wide range of service providers and skills Inconsistent quality of the assessment and deliverables Often independent contractors are used resulting in lost continuity year to year
E N D
Compliance System Validation- An Audit Based ApproachDecember 2012
Current Challenges • Wide range of service providers and skills • Inconsistent quality of the assessment and deliverables • Often independent contractors are used resulting in lost continuity year to year • Lacking consistent standards of performance • Findings frequently not tied to risk and potential impact • Level of independence is not always clear
Need for an Audit Based Approach • Boards and management are recognizing both • Need to perform independent validations of systems and • Lack of consistent high quality “audit based” assessments in the past • Critical role of technology in BSA/AML Compliance program • Increased scrutiny by regulators • Mitigate the probability and impact of critical risk events • Avoid severe regulatory penalties and reputational risk
Need for Audit Based Approach • Required by FFIEC BSA Examination Manual: • “A periodic review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance.” • Evaluate the system’s methodology for establishing and applying expected activity or filtering criteria • Evaluate the system’s ability to generate monitoring reports (Cases/alerts) • Determines whether the system filtering criteria are risk based & reasonable. • Validate the auditor’s reports and work papers to determine whether the bank’s independent testing is comprehensive, accurate, adequate, and timely.
Independent Validation - Components • Should be performed by qualified individuals within the FI or by a qualified third party • Should be performed annually or should match the frequency of Risk Assessment • Should consider the alignment of BSA AML System with Risk Assessment including • Customers • Geographies • Lines of Business • Products and Services
Technical Challenges • Assessingthe functionality of rules and that the data supports rule processing • Logic is not always transparent • Flaws in logic processing • Too many false positives • Validating all required SWIFT Messages are being scanned • Inconsistent thresholds on rules/scenarios leading to incorrect or no alerts • Absence of data or poor data quality providing incorrect customer risk classification
Organization’s Roles & Responsibilities 3rd Line of Defense 1st Line of Defense 2nd Line of Defense
Audit based Performance Standards • Consistent with professional practice standards • Audit procedures and testing commensurate with risk • Quality Assurance reviews • Build on knowledge of best practices • Continuous improvements methodology • Confidentiality and Security protocols • Specialized analytical tools
Deliverables • Assessment Report • Key observations • Associated risks and potential impact • Recommendations for risk remediation • Significant Items Management Action Plan • Living document with significant findings • Management responses • Remedial action plan with “Ownership” and due dates • Test Work Papers and Supporting Documentation
How to select a Third Party Vendor? • Should integrate three essential skillsets: • Audit expertise • Compliance & regulatory knowledge • Strong technology and in-depth product knowledge • Well defined structured process/framework that is adaptive • Completely independent • Continuity of permanent staff • Professional Certifications – CPA, CIA, CAMS CCRP etc. • Good customer references