AIMing for Excellence: Optimizing

the BSA/AML Training Program as an

Effective and Efficient Control, and
Audit’s Contribution to this Pursuit
Kathleen O. Smith, CAMS-Audit
Table of Contents Page

Executive Summary 2

Background 3

Attributes of an Optimal Training Program 4

Framework of an Optimal BSA/AML Training Program 6

Audit’s Approach and Expectations for Training Program Review 8

Business Process to Capture Audit’s Review Comments and 10

Incorporate into Training Program

Conclusion 12

Page 1
Executive Summary

Compliance professionals within financial institutions strive constantly to achieve best in

class, and generally view training as a critical tool in achieving this pursuit. Training can
truly be an organization’s first, last and best control. Despite the best intentions, budget
and resource considerations may present formidable challenges in this endeavor.

An organization's Bank Secrecy Act/anti-money laundering (BSA/AML) training program

should be dynamic and continuously assessed, improved and maintained given audit
outcomes, in concert with the overall BSA/AML program. This paper’s objective is to
illustrate audit’s key contribution in the organization’s design, delivery and management of
training. Consideration throughout will be given to training as an optimal control, using a
continuous program enhancement approach.

This paper is intended to complement the audience’s training design, delivery and
management toolkit by engaging audit as collaborator to achieve a more effective and
efficient continuous program enhancement. The target audience is principally financial
institutions relatively new to regulation and those for whom resource and budget
considerations are formidable. Ideally it will also be a useful resource to a broad audience
comprised of compliance, audit and business professionals within the financial services
sector.

This paper will primarily use experience-based resources to validate the conclusions
reached. When possible, industry voices of experts will be referenced. Additionally, details
will be provided on associated processes suggested to achieve desired outcomes.

Key focal areas will include:

 Attributes of an optimal training program;

 Framework of an optimal training program;
 Audit’s approach and expectations for a training program review; and
 Business process to capture audit’s review comments and incorporate into training
program, with consideration given to continuous people, process and
platform/technology enhancements to achieve overall continuous program
enhancements.

As the compliance environment becomes increasingly more demanding, draining already

scarce resources with its expectations for excellence, organizational focus on efficiency and
effectiveness continues to grow and evolve. The solutions to this approach are not new and
can be found within the day-to-day operations of business, compliance and audit. This
paper is designed to serve as a useful resource and tool to foster and strengthen dialogue
and collaboration among all constituents in this striving for efficiency and effectiveness,
while ensuring that compliance continues to be good business and everyone’s business.

Page 2
Background

There is little doubt that financial institutions are constantly striving for excellence in
BSA/AML training program design, delivery and deployment, as well as the overall
BSA/AML program off which training drives. Significant literature and guidance are
available in this arena, particularly the dynamic Federal Financial Institution Examination
Council (FFIEC) BSA/AML Examination Manual, most recently updated in 2010. However,
when addressing the optimal process for this design, delivery and deployment, approaches
can vary significantly given such organizational considerations as business scope,
resources and time within the regulatory community.

Aiming for Excellence1 may seem challenging, as it comprises numerous steps: a process of
continuously assessing what is necessary; continuously improving processes and controls
to ensure appropriateness; and continuously maintaining program excellence through an
effective control process. The intent of this approach is not to add an additional level of
work, or create a stand-alone activity, but rather to leverage the lines of defense or layers
of opportunity that are in place. Compliance and audit are, after all, reliant upon the
organizational business activities either in place or in continuous development given
ongoing expectations. If the business is continuously assessing, improving and maintaining
its processes, compliance and audit’s roles of validation and advisement become invaluable
in this continuous improvement process.

To further elaborate on the rationale of this paper, it is helpful to provide a definitional

breakdown of the key components:

 Optimizing, or optimization, includes finding the best available outcome.

 Effective, or effectiveness, is the capability of producing a desired result.
 Efficient, or efficiency, describes the extent to which time, effort and cost are well
used for the intended task or purpose. It is often used with the specific purpose of
relaying the capability of a specific application of effort to produce a specific
outcome effectively with a minimum amount or quantity of waste, expense or
unnecessary effort.2

While these definitions and approaches are well known among this paper’s audience, it is
often helpful to remind ourselves and our organizational constituents of these as days
become shorter and requirements become greater. Efficiency and effectiveness are not
luxuries but necessities given the time it takes daily to achieve such well-known
compliance philosophies as: trust but verify; if you do not document, you did not do it; if
you document, you do; and when in doubt, take the conservative route. A focus on the

1 Approach developed by author based upon prior work with process efficiency and Six Sigma experts
2 Wikipedia, the free encyclopedia

Page 3
continuous cycle of assessing, improving and maintaining with audit’s help can turn this
challenge into an invaluable opportunity.

Attributes of an Optimal Training Program

 Comprehensively reflects compliance and governance expectations;

 Guides population on process-specific means to achieve expectations; and
 Embraces existing and/or newly defined business processes as foundation to
achieving expectations.

Each of the above-referenced attributes can be accomplished more efficiently and

effectively by leveraging the lines of defense or layers of opportunity. While everyone
within an organization is responsible for a level of knowledge associated with regulatory
requirements, given the nature of the various activities, the depth of necessary knowledge
may be greater depending upon the roles and responsibilities. Thus, recognizing and
embracing the knowledge of the experts among all organizational constituents can be
beneficial in achieving an ideal depth and breadth of training.

Guidance from the regulatory community as well as law enforcement can also play a major
contributory role in optimizing the training program . “One of the most simple, but
sometimes overlooked ways to stay current with emerging AML risks is to cultivate and
develop contacts with law enforcement agencies. While there are obvious barriers to
sharing certain information, law enforcement officers can sometimes provide insights into
new money laundering schemes, red flags that are important for current risks, and
emerging crime patterns that may be specific to your bank’s location(s).” 3

While the overlay of an optimal training program may be the comprehensive coverage of
the regulatory expectations, the foundation built upon existing and/or newly defined
business processes with appropriate process-specific guidance is the beginning of the path
to efficiency and effectiveness. The business cycle can be reflected as a continuum over
which the requirements can be laid:

 Policy = defines the requirements and the rationale behind them (i.e., the what and
why);
 Procedures = highlights the who, when, where and how associated with the
requisite requirements;
 Process = generally details the step-by-step particulars of the procedures;
 Controls = reflect the checks and balances which are in place to govern the process,
procedures and policy; and

3 ABA Bank Compliance, Nov-Dec 2013, Managing an Effective AML Program, by John H. Atkinson, CAMS

Page 4
  Practice = evidences what is actually occurring, which may or may not be consistent
with expectations, thus resulting in audit and regulatory review outcomes which
prompt refinements.

From a training program design, delivery and management perspective, embracing the
referenced continuum lends to efficiency and effectiveness. As regulatory requirements
change, the continuum should be changing to reflect the most current state. As regulatory
requirements prompt policy change, training content reflective of policy becomes a given.
It also becomes a good check and balance, or control, to ensure that current state is always
in place. This is also true with procedures and process, which help to more fully define the
most appropriate training population and frequency, coupled with the methods of delivery
to best fulfill the training requirements.

Fortunately, given the risk-based approach, which has become the norm, risk
considerations contribute to ensuring that the depth and breadth of policy, procedure,
process and controls is appropriate to the risk. They also contribute to the pursuit of
efficiency and effectiveness.

While all of the above make good common sense, the daily pressures, burdens and costs of
everyday business and compliance life tend to result in diversion from this approach. When
demands become overwhelming, a reminder of the basic business continuum aligned with
associated risk can be useful. Most importantly, documentation reflecting this continuum
and the rationale behind it can go a long way toward achieving satisfactory outcomes in
audit reviews and regulatory examinations, as well as business strategy and general
compliance well-being.

Each training topic has an expert or experts within the organization who can be leveraged
to assist in ensuring that appropriate training is in place without recreating the wheel.
While business professionals may not be the resident experts when it comes to regulation,
they are truly the experts when it comes to business and the requisite processes associated
with optimizing business value. Thus, defined and documented business process
established by the resident business experts becomes an effective and efficient first step in
the assurance of appropriate training.

While the business process may be a good first step, regulatory expectations which drive
compliance and governance expectations are a necessary component. The compliance and
legal communities are generally the drivers of these expectations, with audit playing a key
validation role. While Audit is certainly expected to be an objective third party in this
endeavor, its value cannot be underrated. Audit is not only an expert, but can also serve as
an invaluable guide and font of knowledge capital, which can be embraced by both the
compliance and business communities.

Page 5
As a former internal examiner in commercial banking, the author directly experienced the
reluctance of the business community to embrace this referenced role as advisor. However,
as the voice of this role was truly the last step before the regulator’s voice was made
known, it was imperative that our knowledge base was extremely comprehensive and our
mission to ensure all issues were identified prior to regulatory review was clear among all.
Initial resistance to the time and resource demands of internal reviews quickly dissolved as
the business professionals realized that our time spent and outcomes communicated were
in fact complements to the scarce business resources if embraced as such.

Framework of an Optimal BSA/AML Training Program

Per the FFIEC BSA/AML Exam Manual, “Banks must ensure that appropriate personnel are
trained in applicable aspects of the BSA.”4 The manual shares a significant amount of
invaluable detail associated with the training program requirements. An optimal BSA/AML
training program comprises information appropriate to the requirements and population,
and addresses who, what, when, where, why and how for each appropriate to the nature of
the training. Depending upon the organization’s scope of activities, it will generally be
comprised of the following types/levels of training:

 Awareness = information required by total population

 Targeted = specific to lines of business as applicable
 Tailored = role or function specific and highly reflective of business process

Awareness training, sometimes identified as enterprise training, is usually required of all

employees, regardless of role, driven by risk-based regulatory and enterprise expectations
with frequency generally aligned with these expectations.

Targeted training is generally required of all employees within the particular product and
oversight area of focus, based upon the business line’s involvement in the oversight area.

Tailored training is generally very specific to the particular role, and the root of this type of
training may be the business processes and procedures currently in place.

Rarely is awareness training the only level in place, as it presents a challenge to design
content, which can comprehensively address all levels of training needs within the
organization in a single approach. However, organizational policy and procedures are a
great starting point at this level of training development, as these documents should reflect
the minimum requirements necessary for all to know within the organization. While there
may be an organizational view that this training is not required of everyone given
respective roles, it is a good rule of thumb to design this training for everyone within the
organization to demonstrate a level of awareness regardless of role.

4 FFIEC BSA/AML Exam Manual, BSA/AML Compliance Program Overview – 2010, page 37

Page 6
While targeted training goes one step deeper, generally focused on particular lines of
business,which perform activities relevant to the need to know areas of the BSA/AML risk
environment, it can be readily built around awareness training, using specific cases or
examples targeted at the business activities under discussion.

Tailored training, generally process driven, can be readily built using existing business
processes while tailoring the particular process steps to the expectations associated with
BSA/AML and the relevant risk. It also lends itself well to a checklist framework, with the
process and associated controls embedded within the checklist. This approach enables not
only a readily available controls review, but it provides a strong framework for remedial
training should there be a need given controls or audit reviews, which reveal unexpected
outcomes needing refinement.

Given the dynamic nature of the BSA/AML environment, and the necessity to maintain a
current and relevant training program, audit reviews can provide a great resource to
update and refine content in an efficient and effective manner. While it is hopeful that
organizations will not have source materials driven from regulatory enforcement actions,
with audit’s outcomes providing sufficient guidance to preclude these events, when these
do occur they can also fuel the refinement of training to minimize the risk of future such
events.

While each financial services organization may approach the design, delivery and
management of its training program in a distinct manner, noted below for consideration
are some tips gleaned from experience and guidance shared by compliance leaders across
the sector, both large and small. While some version of these approaches may already be
employed within the organization, when employed fully they may enhance the efficiency
and effectiveness of the program’s framework:

 Use or establish designated compliance subject matter experts to contribute the

relevant subject matter to the training content, particularly for the awareness
training;
 Partner the designated compliance subject matter experts with line of business
specialists to guide the targeted and tailored training, using as a foundation the
existing or newly refined business level processes and procedures and crafting the
content around this documentation as appropriate;
 Use all available resources as content contributors and ongoing training resources,
including industry-sponsored newsletters, webinars, conferences, as well as internal
communications from business leadership and compliance;
 Establish either systematic controls or documented checklists which serve as an
evaluative tool for the training effectiveness, prompting remediation training for the
relevant personnel as needed should control breaks occur;

Page 7
  With the above-noted decentralization of content development, centralize and if
possible systematize the administration of the deployment to make completion
reporting readily available when needed;
 Ensure that completion reporting comprehensively reflects the total population,
rather than simply those complete, to ensure that incompletions can be tracked as
readily as completions;
 Include a general training section within policy, and a more specific training section
within procedure, which can be readily referenced not only during control and audit
reviews, but also referenced and followed by business as a clear training guide; and
 Formally review the training program on a regular basis, and document this review,
to ensure that all particulars associated with the program are relevant based upon
the current regulatory climate and the organization’s internal and external review
experiences.5

Audit’s Approach and Expectations for Training Program Review

In accordance with the FFIEC BSA/AML Exam Manual, audit should “determine whether the
following elements are adequately addressed in the training program and materials:

 The importance the board of directors and senior management place on ongoing
education, training and compliance.
 Employee accountability for ensuring BSA compliance.
 Comprehensiveness of training, considering specific risks of individual business
lines.
 Training of personnel from all applicable areas of the bank.
 Frequency of training.
 Documentation of attendance records and training materials.
 Coverage of bank policies, procedures, processes, and new rules and regulation.
 Coverage of different forms of money laundering and terrorist financing as it relates
to identification and examples of suspicious activity.
 Penalties for noncompliance with internal policies and regulatory requirements.”6

Audit’s approach to an assessment of the BSA/AML training program is relatively clear,

given the FFIEC’s well-defined examination procedures highlighted above. While the
requirement for an assessment is relatively objective, the assessment can become quite
subjective based upon the individual(s) performing the assessment, as well as the evidence
of training available and provided to audit. For example, senior leadership’s culture of
compliance may be well stated within business memoranda and evidenced through the

5 Guidance obtained from numerous financial services’ Compliance leaders by author in preparation of a
comprehensive Compliance training program evaluation
6 FFIEC Manual, BSA/AML Compliance Program Overview - 2010, page 42

Page 8
presence of required training. However, training reports may reveal that business leaders
are either the last to complete the requisite training or have not yet completed at the time
the audit assessment is performed. An observation such as this could be particularly
impactful given the current regulatory climate, which is increasingly focused on board and
senior management accountability. As noted by the Comptroller of the Currency Thomas J.
Curry, during his speech at the recent ACAMS Conference, “when we look at the issues
underlying BSA infractions, they can almost always be traced back to decisions and actions
of the institution’s board and senior management.”7 Additionally, receipt of requested
documented training reports may be delayed as reports must be created specific to the
requests rather than being readily available. As is common knowledge, subtle clues to the
state of training such as this can be as detrimental to the review outcomes as the lack of
appropriate content or inadequate personnel coverage.

Audit’s contribution to the training program design, delivery and deployment in an

optimally efficient and effective manner begins well before the training program review
itself. As audit is charged with reviewing the overall BSA/AML program and its
components, the outcomes of these individual reviews can provide a treasure of guidance
on organizational needs for BSA/AML training. Identification of organizational issues may
indicate weakness in the guiding governance documentation, which generally provides the
foundation for training content. Recognition that this documentation needs refinement is a
good first step toward ensuring that training is an optimal control. Deficiencies in any area
of BSA/AML can readily feed into the core governance documentation, which can then
serve to feed training design, delivery and management.

While enforcement actions may cite training as a deficiency, such as those instances noted
on FinCEN’s site regarding recent actions against Toronto Dominion, Saddle River and
HSBC Banks,8 in many instances a particular area of concern is noted with no reference to
training. However, if either process or practice reflects inadequacies, the underlying
governance documentation is likely a factor. If this documentation is used as a basis for
training, which should be the case, then an enhancement to this documentation and the
underlying training should remedy the situation and preclude future instances of such
deficiencies being cited.

In treating training as the first, last and best control, with audit’s review of it as such, it is
clearly possible to enhance not only the training program’s efficiency and effectiveness but
also to minimize the risk of regulatory infractions and valuable time spent on remediation.
It is always helpful to keep in mind that the business is the driver to activity, with the

7 Remarks by Thomas J. Curry, Comptroller of the Currency, before the Association of Certified Anti-Money
Laundering Specialists, Hollywood, Florida, March 17, 2014, OCC.gov, News Releases 2014-39
http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-39.html
8 FinCEN Enforcement Actions http://www.fincen.gov/news_room/ea/

Page 9
regulatory umbrella overlaid across all existing governance expectations and prompting
refinements as needed. Audit is an invaluable resource to ensure that this situation remains
intact and as robust as possible.

It is virtually impossible for everyone to know everything there is to know about all aspects
of any regulation, including BSA/AML. However, within the organization’s compliance and
controls infrastructure and audit, there reside specialized generalists who are responsible
to be knowledgeable and current in their knowledge of all that is necessary to keep the
organization within regulatory good standing. Auditors can be relied upon as in-house
resident experts on the subject matter they review, despite their need to be objective in
assessments. Thus, it is extremely useful to maintain a robust dialogue with these
specialists, as they can provide not only lagging, but also leading indicators to the
regulatory environment. As it is always in an auditor’s best interest to identify any and all
issues prior to any examiner review, this font of knowledge can be an invaluable resource
in ensuring that the BSA/AML training program is satisfactorily robust in all areas to
preclude the examiner’s need to cite issues or force remedial action within the
organization.

Among the lines of defense or layers of opportunity, audit’s role should not be overlooked,
whether an in-house team or an external consulting organization. While the time required
throughout the review to prepare and address any and all considerations seems
overwhelming at times, the extra pair of eyes and ears made available and the invaluable
knowledge capital readily shared cannot be understated. As Jeffrey Houde cites in his
CAMS-Audit white paper entitled A Principles-based Approach for Auditing Board Reporting,
“to ensure an effective partnership with the client, it is helpful to proactively communicate
changes in regulatory expectations and the impact to the client as it becomes known. This
will allow the client to begin to comply with the new expectations prior to the audit,
helping them to enhance their risk management practices and saving them from being cited
unnecessarily in the audit report.”9

Rather than viewing the need for an audit review as a resource drain, it can be embraced as
providing an additional invaluable resource with a finger on the pulse of current and
prospective regulatory considerations to incorporate into governance and training
documentation and practice. As someone who directly experienced the reluctance to
embrace, yet concluded with the welcoming as a trusted resource, this author has seen how
opportune these reviews can be to all parties involved in not only fostering efficiency and
effectiveness but also in realizing true program quality.

9“A principles-based approach for auditing board reporting,” Jeffrey Houde, CAMS-Audit

Page 10
Business Process to Capture Audit’s Review Comments and Incorporate into Training
Program

In all instances, the collaborative endeavor of compliance, audit and business can become
more efficient and effective by giving consideration to continuous people, process and
platform/technology enhancements to achieve overall continuous program enhancements.
This can be accomplished by ensuring that a continuous cycle of focus is in place at all
levels, reflected in three stages as follows:

 Assessment phase = reviewing what should be done, initiated by a gathering process

and concluded with a discussion among all appropriate constituents;
 Improvement phase = referencing regulatory expectations, industry guidance and
business needs to enhance existing program, achieved through an initial review and
subsequent implementation process; and
 Maintenance phase = ensuring control environment is properly maintained or
refined as needed, and comprised of an ongoing review and validation process to
confirm the appropriate environment is in place.10

At the most basic level, compliance can be defined as:

 Knowing what must be done;

 Doing what must be done; and
 Demonstrating that what must be done has been done, through documentation.

Given the three lines of defense or layers of opportunity, which exist with the collaborative
endeavors of business, compliance and audit, to achieve compliance in the most effective
and efficient manner, it is useful to ensure that a dynamic continuum is in place.

At its simplest, the collaborative process involves assessment, improvement and

maintenance activities at each level. Business is charged with establishing processes to
manage according to not only the organizational needs but also the regulatory climate.
Ideally, a control environment is in place, which ensures that practices align with
processes, regularly evidencing this situation with clear and concise documentation.
Ideally, compliance provides continuous guidance in concert with legal as needed to ensure
that the regulatory overlay within the business is timely and appropriate. Compliance may,
in fact, perform its own control reviews to validate business conclusions. Finally, audit
steps in to affirm or otherwise, ideally simply validating the prior conclusions. Each
constituent is engaged in continuous enhancement activities as a part of the daily flow of
responsibility. At each level, should there be a need for revision due to either anticipated or

10“Compliance, Whose Job is it Really,” March 2012 presentation by author to regional Compliance
association

Page 11
unexpected considerations, the flow of process, control and review and associated
documentation is naturally amended to reflect these considerations.

To achieve a state of optimization with the BSA/AML training program, it is useful to ask
these questions at every stage of the assessment, improvement and maintenance phases:

 What could our people have done differently?

 How could our process have been redefined to obviate the issue?
 What, if any, technology changes could be made to enhance the situation?

In each of these instances involving people, process and technology, there are certainly
training considerations. While training program considerations can be cited in audit and
exam outcomes, basic deficiencies in people, process and/or technology have at their root
the opportunity to be remedied through training. For example, if a software program
evaluation performed by an external vendor cites a situation where a suspicious activity
report (SAR) module is not being properly used, this could result in insufficient
identification and/or reporting of unusual or suspicious activity. Training is likely at the
root of this situation, or it can certainly be deemed a consideration. However, if the use of
the module is not assessed, improved if needed (as in this case), and maintained through
the ongoing evaluation and validation of use, the situation could ultimately result in an
audit or examiner citing.

Audit provides a wealth of knowledge capital with its review outcomes across the
BSA/AML program, which can be used to ensure that the BSA/AML training program is
truly best in class. While the training program review is also invaluable, it is essentially the
culmination of the overall program reviews and will likely be more of a validation exercise.
It is the ongoing assessment, improvement and maintenance across the program which is
the key contributor to this best in class situation. No review can be overlooked, whether a
business product review or the consideration of new technology to enhance an existing
business process. In each instance, there are BSA/AML considerations which can be
adopted within the training program to minimize the risk of future issues or deficiencies
within the overall program.

Throughout the assessment, improvement and enhancement stages, consideration to the

impact on people, process and technology guide constituents to ensure that all aspects
associated with training are captured. In each instance, the who, what, when, where, why
and how can be asked and addressed to ensure that no stone is left unturned when it comes
to communicating expectations and embedding those expectations within training
programs. Audit as the continuous final layer of defense or level of opportunity can be
invaluable in this endeavor, as auditors truly are an expert partner and resource.

Page 12
Conclusion

The BSA/AML training program is not only the end game, but also the resource, which
demonstrates that BSA/AML compliance is good business and everyone’s business. An
efficient and effective training program, which is continuously assessed, improved and
maintained, can serve as an optimal control tool for the organization. Business, compliance
and audit each have an invaluable role to play in this pursuit. Through their collective
contributions, the BSA/AML training program can readily evidence a culture of compliance
embraced by the entire organization.

Page 13