One of the most important ways to ensure that your anti-money laundering program is in compliance with Bank Secrecy Act / Anti-Money Laundering (BSA/AML) requirements is to submit it to independent testing or auditing. Regular internal audits are always recommended, but an external auditor has the distance and perspective needed to give you added confidence in your program.
The independent audit should focus on how your organization’s policies, procedures, and processes are organized to support AML compliance. Given the complexity and importance of the issue, it will be critical to hire a consultant who is an expert in the BSA policy intent and the regulatory apparatus that goes with it. Best practice is to conduct the external audit every 12 to 18 months, though banking and credit institutions may have more frequent assessments.
An Expanding Need for AML Compliance
The independent audit is important for every organization covered by BSA/AML requirements. When the Bank Secrecy Act was first passed in 1970, it covered mainly banks and credit unions—traditional banking institutions. However, with the great expansion of electronic networks, extensive outsourcing of banking functions to money service businesses like armored carriers, and even the high flow of cash through non-bank entities like casinos, BSA/AML regulations now cover a wide array of businesses. All of them need an effective compliance program.
Addressing the Risks You Face
An important principle in AML regulations is that compliance programs may be risk-based so that the various kinds of covered organizations have the flexibility to address the actual risks they face. Therefore, each organization’s program will be uniquely designed to address the money laundering risks it faces—each organization will have a unique risk profile.
In a similar vein, independent audits should be risk adjusted to mirror the underlying money laundering risk assessment and resulting risk profile of the audited organization. Auditors should evaluate the AML program against specific BSA requirements and standards for all operations, departments, and subsidiaries where money laundering is a risk. Obviously, this audit will vary depending on the size, complexity, and risk profile of your organization.
What’s included in an Independent AML Audit?
Independent audits may look at issues such as:
- Whether the AML program addresses the risks adequately, and provides enough information to decision makers to evaluate the program.
- Whether the risk assessment is adequate, and the risk profile appropriate.
- Whether the organization’s program can identify suspicious activity, and supports mandated reporting and records retention under AML requirements.
- Whether any previously known deficiencies have been addressed.
- Whether the program has effective leadership with reporting to decision makers and adequate staff training.
The audit report should include a description of the methodology of the audit, as well as a list of findings. The report should be transmitted to the Board and other decision makers.
BSA/AML compliance requires organizations to understand the requirements well enough to be able to implement an effective compliance program appropriate for the organization. Decisions will have to be made about where risks exist and how serious they are. The independent audit is an important tool to make sure the compliance program supports this decision-making.