Incorporate SOC Reports into AML Model Governance for Better Risk Control

  • Governance
  • 2/1/2024
Business Invoice Tax Management

Key insights

  • SOC reporting can provide valuable insight into the controls an institution should implement as part of a sound anti-money laundering model governance program.
  • Institutions should regularly monitor and review SOC reports, update their governance program based on SOC reporting findings, and perform continuous monitoring and remediation.
  • Standardization, complexity, timeliness, integration, vendor management, and ongoing monitoring all pose hurdles that need to be addressed.

Strengthen your institution’s AML model governance program.

Talk to an Advisor

A system and organization controls (SOC) report may report on controls that are relevant to the security, availability, processing integrity, confidentiality, or privacy of a user’s data.

When asked for independent validation reports, institutions commonly provide a SOC report. While SOC reporting and validation serve different purposes, SOC reporting can still provide valuable insight into some controls an institution should implement as part of a sound anti-money laundering (AML) and Combating the Financing of Terrorism (CFT) model governance program.

How to incorporate SOC reporting

Incorporating SOC reporting into an institution’s AML model governance program can help identify and address software-specific risks. Review some of the key components necessary for effective incorporation.

Identify if your monitoring software is subject to SOC reporting

Most monitoring software where the data and processing is done in-house is not subject to SOC reporting. If your data is stored by the vendor, there is a high probability your third-party vendor should have a SOC report performed. If you are unsure if there is a SOC report, contact your vendor.

Obtain and review the SOC reports

Evaluate and determine which aspects of SOC reporting are relevant to your software. Review the available SOC reports and identify the applicable information based on your programs’ inherent risks and operational requirements.

SOC reports contain complementary user entity controls (CUECs). These CUECs may list specific controls the software user needs to implement to maintain security, confidentiality, availability, confidentiality, privacy, and proper software function.

Review the report’s scope to align with the services and systems you have engaged and the coverage you need (i.e., SOC 1 [financial reporting] versus SOC 2 [security]). Also, review the reporting period covered by the SOC report; make sure it’s relevant and provides sufficient assurance for your current reporting needs.

Assess model risk

Perform a thorough risk assessment of your monitoring software, considering both internal controls and external dependencies. Evaluate how SOC reporting and CUECs address identified risks and if there are risks that haven’t been addressed. Some common CUECs are limiting access and permission to necessary users and removing accounts for former employees.

Enhance your model governance program

Update your governance program to incorporate the findings from SOC reporting. Document the specific controls and activities related to the different risks identified. These controls involve bringing in different teams such as fraud/BSA, risk, IT, and senior management.

Perform continuous monitoring and remediation

Regularly monitor and review SOC reports for any changes or control deficiencies reported by service organizations. Implement an effective remediation process to address identified issues promptly. Review SOC reporting as an integral part of your ongoing AML model governance and risk management activities.

Navigating the challenges

While incorporating SOC reporting into your model risk management framework offers significant benefits, financial institutions must overcome several challenges to effectively integrate and leverage these reports.

Lack of standardization

One of the primary challenges in incorporating SOC reporting into an AML model governance program is the lack of standardization across different SOC reports. The SOC framework consists of multiple types of reports, such as SOC 1 and SOC 2 — each focusing on different aspects of control. Each report may have varying criteria and scopes, making it challenging to compare and analyze them consistently.

Complexity of SOC reports

SOC reports can be complex and contain technical language not easily understood by stakeholders without a technical background. This creates a challenge for management and other non-technical personnel who need to interpret and evaluate the findings in SOC reports.

Timeliness and availability of SOC reports

Access to up-to-date SOC reports can be challenging since they are issued periodically, typically on an annual basis. Decision makers need current SOC reports to assess and understand the controls and risks associated with the models they oversee. Reach out periodically to your vendor(s) to request a bridge letter and cover the gap between the last SOC report and your calendar or fiscal year-end.

Ongoing monitoring and remediation

Incorporating SOC reporting into your AML model governance program is an ongoing process requiring continuous monitoring and remediation. SOC reports provide insights into controls at a specific point in time, but the control environment can change over time.

How we can help

Developing a robust control environment to assess your AML model risk takes time and resources and should be incorporated into overall oversight for your AML/CFT program. CLA’s team of risk management professionals can help your organization with needs related to this complex issue so you can concentrate fully on running your business.

Contact Us

Complete the form below to connect with CLA.

Experience the CLA Promise