After the Soviet Union in the 1980s said it would consider joining the United States in dramatically reducing its nuclear arsenal, do you know why President Reagan’s words, “Trust, but verify” were so powerful? Because it was actually a Russian proverb — “Doveryai, nu proveryai.”Soviet leader Mikhail Gorbachev was always amused when Reagan said this during their talks. When the two finally signed the nuclear disarmament treaty in 1987, Gorbachev asked Reagan why he would always say that. Reagan replied, “Because I like it.”Trust, but verify. Those words are also very powerful when it comes to making sure your community financial institution (CFI) is adequately preventing would-be bad actors from using your infrastructure to launder money to facilitate crimes such as drug trafficking and terrorism. Indeed, one of the main components of a Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program is routine audits to ensure your institution is doing its job to identify and report such nefarious acts.It’s important to note that even if your CFI seems to have a proper process for data collection, employee training, documentation of transactions, and compliance recordkeeping, you still need to perform periodic audits to ensure everything is flowing as it should. Ultimately, your goal is to find any weaknesses in your process before criminals do. If you do find any loopholes, you’ll be able to report any associated transactions to regulators and hammer out a plan to reinforce your defenses.You don’t have to pay for an outside certified public accountant or another third party to conduct these audits, according to the Financial Crimes Enforcement Network (FinCen). Instead, you can designate an officer or employee who is not part of the compliance team to conduct the audit — as long as the person wasn’t involved in developing the BSA/AML compliance program they’re auditing and has adequate knowledge of the BSA/AML regulations.What are the key factors in ensuring your internal auditing function is up to snuff?
- Make sure it builds upon the foundational components detailed in the Federal Financial Institutions Examination Council’s BSA/AML Examination Manual.
- Determine the level, intensity, and frequency of testing for each of the core BSA/AML areas, based on the level of risk. In particular, CFIs should enhance their customer due diligence processes if they are engaged in areas that deserve special attention:
- Nonresident aliens, foreign nationals, and politically exposed persons
- Foreign correspondent banks
- Trade finance
- Marijuana or cannabis businesses
- Payment processors
- Money service businesses
- Online and mobile banking operations
- Make sure your internal auditing function is taking a holistic view of your overall BSA/AML environment instead of adhering to a “rote, check-the-box” approach. Don’t just focus on transactional testing — take an overall look at processes and internal controls, and above all else, scrutinize your “compliance culture.”
- Make sure your employees are trained regularly so that they keep up with the constantly evolving regulatory expectations surrounding BSA/AML.
It cannot be stressed enough how critical it is to routinely audit your BSA/AML compliance program, as it’s a regulatory requirement: in 2021, FinCEN slapped an $8MM civil money penalty on a CFI in Texas for willfully violating BSA regulations, including willfully failing to implement and maintain an effective AML program.Make sure your BSA/AML auditing process is completed regularly, by someone who isn’t part of your compliance team. This is the most effective way to ensure that your BSA/AML program is working as you intended.