There have been two significant pieces of recent regulatory guidance that will directly impact the overall administration of your institution’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. While these two regulations may seem, at first glance, to be unrelated, a more comprehensive review will reveal that they are very much tied together.

As technology has changed, so have the goals of many of the criminals that want to launder money. In addition to drug dealers, there are now terrorists and persons engaging in human trafficking, all of whom are developing ways to hide their cash. Such changes in the criminal schemes being employed have generated changes to the BSA/AML laws designed to improve the overall monitoring of cash and cash equivalent transactions.

Today, no self-respecting banker would consider operating without a full BSA/AML compliance program that includes software that helps bank staff aggregate and monitor transactions of all customers. In addition to possessing such monitoring software, all banks, including community banks, are expected to perform a data and model validation on an annual basis.

Increased Expectations

The OCC and the Federal Reserve issued guidance in 2011 called the “Supervisory Guidance on Model Risk Management.” This document was first thought to deal with only the financial models used for projecting interest rate risk or the allocation of the allowance for loan losses. However, a more complete review of the information included in the guidance reveals increased regulatory expectations in the area of BSA/AML.

The model guidance points out that there are several areas of risk associated with the use of models at a financial institution and many of these risks apply to BSA/AML monitoring software. When the areas of risk are simplified, the two main concerns for BSA software are: that the data that is being collected and loaded into the monitoring system is accurate; and, that the data being collected is sufficient to properly mitigate risk.

To address the first of these two risks, all banks should perform a data validation, which is the process of making sure that the information in your monitoring software is being accurately and completely loaded from your core system. Many banks and vendors believe that once a data validation has been accomplished, there is little need to do another one. If everything checks out and all data is being loaded properly, what is the problem? For one thing, the vendor may make changes to the way the software works through upgrades. Perhaps your bank may change transactions codes as new products are developed. The point is that any changes to the monitoring software or to your core system may change the accuracy and effectiveness of the BSA/AML software.

Because change is constant, it is wise to test data validity on a regular basis. Consider this: if you do find a problem, it will be necessary to go back to the last data validation to determine the extent of the problem. The longer you have waited, the bigger the problem!

For BSA/AML monitoring software, the risk framework means that regulators expect banks to know how their software works as well as the “blind spots” for transactions that may not be completely covered by the way the software operates. The expectations are that your bank will use monitoring software as a tool that is constantly being sharpened and improved. The model validation process is the means to ensure that the software is improving.

The regulatory guidance also makes clear that a critical component of model risk management is output analysis. The output from monitoring software should be reported to senior management on a regular basis, along with information about the actions taken in response to the data. Ultimately, model validation comes down to the overall governance being practiced at a bank. Models are only as effective as the structure in which they are used. The guidance notes that there has to be a governance structure surrounding the use of monitoring software.

High Risk Customers

The guidance that was issued by the FDIC in January of 2015 has the potential to create a second significant shift in the world of BSA/AML compliance. The document is very brief, with the innocuous title “providing banking services.” In it, the FDIC notes that the business of banking and providing banking services has attendant risks and that some level of risk is not only acceptable, but necessary. In other words, the regulators have suggested that it is no longer taboo to have money services businesses (MSBs) and other companies that are considered high risk as customers.

So, does this guidance mean that your bank gets one free “get out of jail card” when it has a risky customer that isn’t being properly identified and monitored? Absolutely not! Reading the guidance together with the FFIEC manual, it is clear that each bank must still establish a robust compliance program in the BSA/AML area. The program should have all of the pillars of any compliance program, including: policies and procedures; training; management reporting and information; and independent audit. Once each of these elements has been established, you have earned the right to decide how you deal with high risk customers.

Putting it all together, it appears that the expectation from the regulators is that all banks will develop complex BSA compliance programs that will include data and model validations of BSA software and complete documentation of decisions to bank high risk customers.