Financial Institutions: Should You Automate Your BSA Program?

Knowing when to automate

Determining when your financial institution (FI) needs Bank Secrecy Act (BSA) Anti-Money Laundering (AML) automation is more art than science. Cost and effectiveness are large factors, as well as scaling the system to keep up with ever-changing laws, regulations, technology, and infrastructure. Ultimately, there is no prescribed flowchart for obtaining a system to manage the risk and workflow of a BSA program.

Before your FI obtains an automated system, conduct an assessment to determine residual risk, including areas such as AML oversight, know your customer (KYC) data collection and maintenance, and enhanced (or ongoing) due diligence (EDD).

The benefits of automation

The Federal Financial Institutions Examination Council (FFIEC) BSA/AML Manual says: “A surveillance monitoring system ... can cover multiple types of transactions and use various rules to identify potentially suspicious activity. In addition, many can adapt over time based on historical activity, trends, or internal peer comparison.”

Automation can help streamline regulatory filings for currency transaction reports (CTRs) and suspicious activity reports (SARs). It can also assist moving data from the teller transaction, as the source of truth, to the CTR to be filed with Financial Crimes Enforcement Network (FinCEN).

Manual reports tend to have little or no customization available — which can limit your FI’s reach and oversight on new or trending developments. Automated systems, however, can push out current scenarios or industry trends that help support and supplement risk management oversight for suspicious activity monitoring.

Automation can be valuable when your FI has segregated systems that need scans for Office of Foreign Asset Controls (OFAC) or 314a lists such as trust departments, sales of gift cards/travel cards to non-customers, or multiple cores. And automated recordkeeping can provide information at the click of a button versus digging through dusty file cabinets and boxes.

Additionally, an automated system can tie together information from various data points within various times on the customer base and create cases for investigating a suspicious activity, as well as streamlining EDD and AML case management by reducing redundant touches within the BSA program.

Proper modeling and expected results

Does your FI have a BSA model based on regulatory definitions?

As noted in the Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance April 9, 2021 (the Interagency Statement): “BSA/AML systems may include a surveillance monitoring system, sometimes referred to as an automated transaction monitoring system. Some of these automated transaction monitoring systems may involve the use of modeling.”

While regulation and guidance from regulatory bodies can be tricky to interpret, let’s paint a picture to help answer this question.

 

If you ended up at “yes,” then keep reading — you have a model. Next comes the need to assess system functionality and operations based on the conditions applied to the data.

 

What results did the model (system) give? Was it the expected outcome? Did you know what you were expecting? Systems can be a substantial control to the internal controls for your BSA program, but only if the output is chicken nuggets and not hot dogs.

Here are some areas to consider and question regarding your BSA program:

Documented use and oversight in procedures or policy

Have you captured your system as a control in your policy/procedure? Have you documented the use, oversight, and governance of the system? Documentation should include parameter changes, system users and administrators, updates to the system, etc.

Is the system included in the risk assessment as a control?

Whether your FI is using manual reports or automated monitoring, it should be noted accordingly within the risk assessment.

Does data flow as expected?

Your BSA officer is ultimately responsible for making sure your data flows into the system; think of this as an “internal” validation. If your FI depends on cash to flow into the system from the teller program to populate CTRs, is this periodically tested for accuracy against raw data?

Independent validation

As noted in the Interagency Statement, FIs that have models/systems must periodically obtain an independent validation.

Data that does not go through the system for the BSA program

As an example, if your monetary instrument log is paper and does not get incorporated into the system, your FI should document oversight procedures for potential suspicious activity and accurate logging.

Can the process be used to explain to an auditor or examiner how the system works?

Having a system is great, but if it is not understood or fully utilized, it will raise red flags during your audit or exam. Obtain training, document processes, and keep apprised of changes within the system.

Assess the flow of your monitoring

Once a system is installed to support your BSA program, then comes the need to use the system properly. Just as not understanding the system can raise red flags, so can using it incorrectly.

The FFIEC BSA/AML Manual’s Appendix S outlines expectations for the general flow of monitoring for suspicious activity.

 

So, you have a BSA automated transaction monitoring system — now what?

The system needs to be independently validated periodically. Regulators have not defined how often institutions should conduct an independent validation — that means your FI needs to determine the frequency based on risk profile and risk tolerance.

Within the Interagency Statement, footnote #7 states: “Model reviews and validations are generally performed using a risk-based approach, and with a frequency appropriate for (or when there are changes to) a bank’s risk profile. BSA/AML risk profile changes may include new or revised bank products, services, customer types, or geographic locations, or if the bank expands through mergers and acquisitions. Material changes to models likely warrant validation.”

Proper model risk management of an automated BSA system should address two main areas:

1. Is the system working properly?
2. Is the system being used properly?

Your FI should include its BSA system within vendor management oversight and verify appropriate controls and policies are in place for the vendor. It’s also important to include the BSA system under your FI’s enterprise risk management risk assessment umbrella.

Ongoing process management is critical

Once your FI incorporates an automated system, the key to success is ongoing process management. FIs must understand the customer base and the system to constantly adjust the nets that catch inefficiencies and mismanagement. Below are a few areas to consider:

Continual tuning and monitoring of the system

• Incorporate new rules, the latest trends, and regulations
• Scenarios/parameters may become irrelevant or ineffective; are thresholds or dollar volumes appropriate for the customer base?

Effective use of the system

• Staff turnover or staff having a limited knowledge of the system can lead to poorly managed scenarios and oversight
• Staff with broad access to administrative changes or parameters should be monitored

Efficient use of the system

• Understand SARs and their supporting scenarios, and consider SAR back-testing to help manage controls and parameters
• Auto-tuning can be effective for managing customer fluctuations; however, poor oversight or lack of controls can lead to missed filings and poor internal controls
• When adjusting thresholds up or down, what impact does it have on your alerts?
• Look at alert:case or case:SAR ratios to help identify effective triaging and working of the system
• When new, fixed, or phased-out items are published by the system, how is the process managed? Are the changes timely? Will staff need training?

How we can help

Automation can be helpful to BSA officers and the BSA program if it is managed well, kept relevant to new or changing trends, and tuned to work properly.

CLA’s financial services group can help assess risk and improve efficiency as your FI incorporates an automated system. Reach out today.