Professional Documents
Culture Documents
Executive Summary 2
Background 3
Conclusion 12
Page 1
Executive Summary
This paper is intended to complement the audience’s training design, delivery and
management toolkit by engaging audit as collaborator to achieve a more effective and
efficient continuous program enhancement. The target audience is principally financial
institutions relatively new to regulation and those for whom resource and budget
considerations are formidable. Ideally it will also be a useful resource to a broad audience
comprised of compliance, audit and business professionals within the financial services
sector.
This paper will primarily use experience-based resources to validate the conclusions
reached. When possible, industry voices of experts will be referenced. Additionally, details
will be provided on associated processes suggested to achieve desired outcomes.
Page 2
Background
There is little doubt that financial institutions are constantly striving for excellence in
BSA/AML training program design, delivery and deployment, as well as the overall
BSA/AML program off which training drives. Significant literature and guidance are
available in this arena, particularly the dynamic Federal Financial Institution Examination
Council (FFIEC) BSA/AML Examination Manual, most recently updated in 2010. However,
when addressing the optimal process for this design, delivery and deployment, approaches
can vary significantly given such organizational considerations as business scope,
resources and time within the regulatory community.
Aiming for Excellence1 may seem challenging, as it comprises numerous steps: a process of
continuously assessing what is necessary; continuously improving processes and controls
to ensure appropriateness; and continuously maintaining program excellence through an
effective control process. The intent of this approach is not to add an additional level of
work, or create a stand-alone activity, but rather to leverage the lines of defense or layers
of opportunity that are in place. Compliance and audit are, after all, reliant upon the
organizational business activities either in place or in continuous development given
ongoing expectations. If the business is continuously assessing, improving and maintaining
its processes, compliance and audit’s roles of validation and advisement become invaluable
in this continuous improvement process.
While these definitions and approaches are well known among this paper’s audience, it is
often helpful to remind ourselves and our organizational constituents of these as days
become shorter and requirements become greater. Efficiency and effectiveness are not
luxuries but necessities given the time it takes daily to achieve such well-known
compliance philosophies as: trust but verify; if you do not document, you did not do it; if
you document, you do; and when in doubt, take the conservative route. A focus on the
1 Approach developed by author based upon prior work with process efficiency and Six Sigma experts
2 Wikipedia, the free encyclopedia
Page 3
continuous cycle of assessing, improving and maintaining with audit’s help can turn this
challenge into an invaluable opportunity.
Guidance from the regulatory community as well as law enforcement can also play a major
contributory role in optimizing the training program . “One of the most simple, but
sometimes overlooked ways to stay current with emerging AML risks is to cultivate and
develop contacts with law enforcement agencies. While there are obvious barriers to
sharing certain information, law enforcement officers can sometimes provide insights into
new money laundering schemes, red flags that are important for current risks, and
emerging crime patterns that may be specific to your bank’s location(s).” 3
While the overlay of an optimal training program may be the comprehensive coverage of
the regulatory expectations, the foundation built upon existing and/or newly defined
business processes with appropriate process-specific guidance is the beginning of the path
to efficiency and effectiveness. The business cycle can be reflected as a continuum over
which the requirements can be laid:
Policy = defines the requirements and the rationale behind them (i.e., the what and
why);
Procedures = highlights the who, when, where and how associated with the
requisite requirements;
Process = generally details the step-by-step particulars of the procedures;
Controls = reflect the checks and balances which are in place to govern the process,
procedures and policy; and
3 ABA Bank Compliance, Nov-Dec 2013, Managing an Effective AML Program, by John H. Atkinson, CAMS
Page 4
Practice = evidences what is actually occurring, which may or may not be consistent
with expectations, thus resulting in audit and regulatory review outcomes which
prompt refinements.
From a training program design, delivery and management perspective, embracing the
referenced continuum lends to efficiency and effectiveness. As regulatory requirements
change, the continuum should be changing to reflect the most current state. As regulatory
requirements prompt policy change, training content reflective of policy becomes a given.
It also becomes a good check and balance, or control, to ensure that current state is always
in place. This is also true with procedures and process, which help to more fully define the
most appropriate training population and frequency, coupled with the methods of delivery
to best fulfill the training requirements.
Fortunately, given the risk-based approach, which has become the norm, risk
considerations contribute to ensuring that the depth and breadth of policy, procedure,
process and controls is appropriate to the risk. They also contribute to the pursuit of
efficiency and effectiveness.
While all of the above make good common sense, the daily pressures, burdens and costs of
everyday business and compliance life tend to result in diversion from this approach. When
demands become overwhelming, a reminder of the basic business continuum aligned with
associated risk can be useful. Most importantly, documentation reflecting this continuum
and the rationale behind it can go a long way toward achieving satisfactory outcomes in
audit reviews and regulatory examinations, as well as business strategy and general
compliance well-being.
Each training topic has an expert or experts within the organization who can be leveraged
to assist in ensuring that appropriate training is in place without recreating the wheel.
While business professionals may not be the resident experts when it comes to regulation,
they are truly the experts when it comes to business and the requisite processes associated
with optimizing business value. Thus, defined and documented business process
established by the resident business experts becomes an effective and efficient first step in
the assurance of appropriate training.
While the business process may be a good first step, regulatory expectations which drive
compliance and governance expectations are a necessary component. The compliance and
legal communities are generally the drivers of these expectations, with audit playing a key
validation role. While Audit is certainly expected to be an objective third party in this
endeavor, its value cannot be underrated. Audit is not only an expert, but can also serve as
an invaluable guide and font of knowledge capital, which can be embraced by both the
compliance and business communities.
Page 5
As a former internal examiner in commercial banking, the author directly experienced the
reluctance of the business community to embrace this referenced role as advisor. However,
as the voice of this role was truly the last step before the regulator’s voice was made
known, it was imperative that our knowledge base was extremely comprehensive and our
mission to ensure all issues were identified prior to regulatory review was clear among all.
Initial resistance to the time and resource demands of internal reviews quickly dissolved as
the business professionals realized that our time spent and outcomes communicated were
in fact complements to the scarce business resources if embraced as such.
Per the FFIEC BSA/AML Exam Manual, “Banks must ensure that appropriate personnel are
trained in applicable aspects of the BSA.”4 The manual shares a significant amount of
invaluable detail associated with the training program requirements. An optimal BSA/AML
training program comprises information appropriate to the requirements and population,
and addresses who, what, when, where, why and how for each appropriate to the nature of
the training. Depending upon the organization’s scope of activities, it will generally be
comprised of the following types/levels of training:
Targeted training is generally required of all employees within the particular product and
oversight area of focus, based upon the business line’s involvement in the oversight area.
Tailored training is generally very specific to the particular role, and the root of this type of
training may be the business processes and procedures currently in place.
Rarely is awareness training the only level in place, as it presents a challenge to design
content, which can comprehensively address all levels of training needs within the
organization in a single approach. However, organizational policy and procedures are a
great starting point at this level of training development, as these documents should reflect
the minimum requirements necessary for all to know within the organization. While there
may be an organizational view that this training is not required of everyone given
respective roles, it is a good rule of thumb to design this training for everyone within the
organization to demonstrate a level of awareness regardless of role.
4 FFIEC BSA/AML Exam Manual, BSA/AML Compliance Program Overview – 2010, page 37
Page 6
While targeted training goes one step deeper, generally focused on particular lines of
business,which perform activities relevant to the need to know areas of the BSA/AML risk
environment, it can be readily built around awareness training, using specific cases or
examples targeted at the business activities under discussion.
Tailored training, generally process driven, can be readily built using existing business
processes while tailoring the particular process steps to the expectations associated with
BSA/AML and the relevant risk. It also lends itself well to a checklist framework, with the
process and associated controls embedded within the checklist. This approach enables not
only a readily available controls review, but it provides a strong framework for remedial
training should there be a need given controls or audit reviews, which reveal unexpected
outcomes needing refinement.
Given the dynamic nature of the BSA/AML environment, and the necessity to maintain a
current and relevant training program, audit reviews can provide a great resource to
update and refine content in an efficient and effective manner. While it is hopeful that
organizations will not have source materials driven from regulatory enforcement actions,
with audit’s outcomes providing sufficient guidance to preclude these events, when these
do occur they can also fuel the refinement of training to minimize the risk of future such
events.
While each financial services organization may approach the design, delivery and
management of its training program in a distinct manner, noted below for consideration
are some tips gleaned from experience and guidance shared by compliance leaders across
the sector, both large and small. While some version of these approaches may already be
employed within the organization, when employed fully they may enhance the efficiency
and effectiveness of the program’s framework:
Page 7
With the above-noted decentralization of content development, centralize and if
possible systematize the administration of the deployment to make completion
reporting readily available when needed;
Ensure that completion reporting comprehensively reflects the total population,
rather than simply those complete, to ensure that incompletions can be tracked as
readily as completions;
Include a general training section within policy, and a more specific training section
within procedure, which can be readily referenced not only during control and audit
reviews, but also referenced and followed by business as a clear training guide; and
Formally review the training program on a regular basis, and document this review,
to ensure that all particulars associated with the program are relevant based upon
the current regulatory climate and the organization’s internal and external review
experiences.5
In accordance with the FFIEC BSA/AML Exam Manual, audit should “determine whether the
following elements are adequately addressed in the training program and materials:
The importance the board of directors and senior management place on ongoing
education, training and compliance.
Employee accountability for ensuring BSA compliance.
Comprehensiveness of training, considering specific risks of individual business
lines.
Training of personnel from all applicable areas of the bank.
Frequency of training.
Documentation of attendance records and training materials.
Coverage of bank policies, procedures, processes, and new rules and regulation.
Coverage of different forms of money laundering and terrorist financing as it relates
to identification and examples of suspicious activity.
Penalties for noncompliance with internal policies and regulatory requirements.”6
5 Guidance obtained from numerous financial services’ Compliance leaders by author in preparation of a
comprehensive Compliance training program evaluation
6 FFIEC Manual, BSA/AML Compliance Program Overview - 2010, page 42
Page 8
presence of required training. However, training reports may reveal that business leaders
are either the last to complete the requisite training or have not yet completed at the time
the audit assessment is performed. An observation such as this could be particularly
impactful given the current regulatory climate, which is increasingly focused on board and
senior management accountability. As noted by the Comptroller of the Currency Thomas J.
Curry, during his speech at the recent ACAMS Conference, “when we look at the issues
underlying BSA infractions, they can almost always be traced back to decisions and actions
of the institution’s board and senior management.”7 Additionally, receipt of requested
documented training reports may be delayed as reports must be created specific to the
requests rather than being readily available. As is common knowledge, subtle clues to the
state of training such as this can be as detrimental to the review outcomes as the lack of
appropriate content or inadequate personnel coverage.
While enforcement actions may cite training as a deficiency, such as those instances noted
on FinCEN’s site regarding recent actions against Toronto Dominion, Saddle River and
HSBC Banks,8 in many instances a particular area of concern is noted with no reference to
training. However, if either process or practice reflects inadequacies, the underlying
governance documentation is likely a factor. If this documentation is used as a basis for
training, which should be the case, then an enhancement to this documentation and the
underlying training should remedy the situation and preclude future instances of such
deficiencies being cited.
In treating training as the first, last and best control, with audit’s review of it as such, it is
clearly possible to enhance not only the training program’s efficiency and effectiveness but
also to minimize the risk of regulatory infractions and valuable time spent on remediation.
It is always helpful to keep in mind that the business is the driver to activity, with the
7 Remarks by Thomas J. Curry, Comptroller of the Currency, before the Association of Certified Anti-Money
Laundering Specialists, Hollywood, Florida, March 17, 2014, OCC.gov, News Releases 2014-39
http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-39.html
8 FinCEN Enforcement Actions http://www.fincen.gov/news_room/ea/
Page 9
regulatory umbrella overlaid across all existing governance expectations and prompting
refinements as needed. Audit is an invaluable resource to ensure that this situation remains
intact and as robust as possible.
It is virtually impossible for everyone to know everything there is to know about all aspects
of any regulation, including BSA/AML. However, within the organization’s compliance and
controls infrastructure and audit, there reside specialized generalists who are responsible
to be knowledgeable and current in their knowledge of all that is necessary to keep the
organization within regulatory good standing. Auditors can be relied upon as in-house
resident experts on the subject matter they review, despite their need to be objective in
assessments. Thus, it is extremely useful to maintain a robust dialogue with these
specialists, as they can provide not only lagging, but also leading indicators to the
regulatory environment. As it is always in an auditor’s best interest to identify any and all
issues prior to any examiner review, this font of knowledge can be an invaluable resource
in ensuring that the BSA/AML training program is satisfactorily robust in all areas to
preclude the examiner’s need to cite issues or force remedial action within the
organization.
Among the lines of defense or layers of opportunity, audit’s role should not be overlooked,
whether an in-house team or an external consulting organization. While the time required
throughout the review to prepare and address any and all considerations seems
overwhelming at times, the extra pair of eyes and ears made available and the invaluable
knowledge capital readily shared cannot be understated. As Jeffrey Houde cites in his
CAMS-Audit white paper entitled A Principles-based Approach for Auditing Board Reporting,
“to ensure an effective partnership with the client, it is helpful to proactively communicate
changes in regulatory expectations and the impact to the client as it becomes known. This
will allow the client to begin to comply with the new expectations prior to the audit,
helping them to enhance their risk management practices and saving them from being cited
unnecessarily in the audit report.”9
Rather than viewing the need for an audit review as a resource drain, it can be embraced as
providing an additional invaluable resource with a finger on the pulse of current and
prospective regulatory considerations to incorporate into governance and training
documentation and practice. As someone who directly experienced the reluctance to
embrace, yet concluded with the welcoming as a trusted resource, this author has seen how
opportune these reviews can be to all parties involved in not only fostering efficiency and
effectiveness but also in realizing true program quality.
9“A principles-based approach for auditing board reporting,” Jeffrey Houde, CAMS-Audit
Page 10
Business Process to Capture Audit’s Review Comments and Incorporate into Training
Program
In all instances, the collaborative endeavor of compliance, audit and business can become
more efficient and effective by giving consideration to continuous people, process and
platform/technology enhancements to achieve overall continuous program enhancements.
This can be accomplished by ensuring that a continuous cycle of focus is in place at all
levels, reflected in three stages as follows:
Given the three lines of defense or layers of opportunity, which exist with the collaborative
endeavors of business, compliance and audit, to achieve compliance in the most effective
and efficient manner, it is useful to ensure that a dynamic continuum is in place.
10“Compliance, Whose Job is it Really,” March 2012 presentation by author to regional Compliance
association
Page 11
unexpected considerations, the flow of process, control and review and associated
documentation is naturally amended to reflect these considerations.
To achieve a state of optimization with the BSA/AML training program, it is useful to ask
these questions at every stage of the assessment, improvement and maintenance phases:
In each of these instances involving people, process and technology, there are certainly
training considerations. While training program considerations can be cited in audit and
exam outcomes, basic deficiencies in people, process and/or technology have at their root
the opportunity to be remedied through training. For example, if a software program
evaluation performed by an external vendor cites a situation where a suspicious activity
report (SAR) module is not being properly used, this could result in insufficient
identification and/or reporting of unusual or suspicious activity. Training is likely at the
root of this situation, or it can certainly be deemed a consideration. However, if the use of
the module is not assessed, improved if needed (as in this case), and maintained through
the ongoing evaluation and validation of use, the situation could ultimately result in an
audit or examiner citing.
Audit provides a wealth of knowledge capital with its review outcomes across the
BSA/AML program, which can be used to ensure that the BSA/AML training program is
truly best in class. While the training program review is also invaluable, it is essentially the
culmination of the overall program reviews and will likely be more of a validation exercise.
It is the ongoing assessment, improvement and maintenance across the program which is
the key contributor to this best in class situation. No review can be overlooked, whether a
business product review or the consideration of new technology to enhance an existing
business process. In each instance, there are BSA/AML considerations which can be
adopted within the training program to minimize the risk of future issues or deficiencies
within the overall program.
Page 12
Conclusion
The BSA/AML training program is not only the end game, but also the resource, which
demonstrates that BSA/AML compliance is good business and everyone’s business. An
efficient and effective training program, which is continuously assessed, improved and
maintained, can serve as an optimal control tool for the organization. Business, compliance
and audit each have an invaluable role to play in this pursuit. Through their collective
contributions, the BSA/AML training program can readily evidence a culture of compliance
embraced by the entire organization.
Page 13