Wednesday, June 5, 2013

Anti-Money Laundering Program: Testing

I learned recently some rather extraordinary news: my firm is currently the only mortgage risk management firm in the country offering testing of a Residential Mortgage Lenders and Originator’s (RMLO’s) Anti-Money Laundering Program.* This situation struck me as exceedingly odd, inasmuch as testing is a statutory requirement.
Testing annually is recommended, but not later than every eighteen months. In this first year, most companies are testing prior to the Financial Crimes and Enforcement Network’s (FinCEN’s)statute’s anniversary date in August. An audit of the procedures detailed in an RMLO’s policy and procedures must be conducted either an internal auditor, in accordance with FinCEN guidelines, or, in accordance with FinCEN guidelines, by an independent external auditor.
How is it that we are the first mortgage risk management firm to offer the independent auditing requirement? Maybe, even at this late date, the industry itself is still trying to absorb the AML compliance implementation, while struggling to integrate a multitude of other new regulations.
Many residential mortgage industry participants have run the Elizabeth Kubler Ross spectrum of denial to acceptance at a pace that leaves in its wake the sentiments of high dudgeon, middling dudgeon, intermediate dudgeon, towering dudgeon, lofty dudgeon - and, finally, recognition that the tide of change is actually upon us!
I have tried to make it clear in previous articles, that the AML program is quite different than other policy statements and procedures!

For two of my analyses on this matter, read my articles entitled Anti-Money Laundering Program - Preparation is Protection (8/2012), or Anti-Money Laundering Debuts for Nonbank Mortgage Companies (3/2012).
Over the years, we have conducted AML audits for banks. Now we conduct them for nonbanks and their Suspicious Activity Report (SAR) filing compliance. Soon enough, I expect another cottage industry to arise, chock full of firms that will promote such external auditing, bringing about yet another feeding frenzy!
In this article, I will offer some of the basics to AML testing for RMLOs, so that you have a high-level set of bullets that may offer some insight into the audit process. There are many moving features to such an audit. In constructing your own procedures, be aware that the time to learn about how to properly test and report audit results is most certainly not during an examination.
Elements of Testing
Internal or External Auditing
We recommend that an AML audit for RMLOs should contain, at the least, the following elements:
Entrance Interview
We require an entrance interview for all AML program audits. The meeting is held with company’s officials, compliance personnel, and support staff is conducted to (1) discuss the company’s lender profile, (2) specify procedures to be followed by the company in the course of the engagement, (3) answer any questions regarding the auditor’s evaluation process.
Audit responses to Prior Year Consulting and Regulatory Examination Reports (if applicable) We are in the first year of the AML program. However, each year afterward, the review will ask for the prior year's reports, including any regulatory reports. This part of the review cannot be side-stepped, because it acts as a baseline, further enhanced by an evaluation of corrective action responses. The reviewer's first actions may include back-testing to see if corrective actions were implemented. Any continuation of a compliance failure that previously was subject to corrective action should cause the review to mark down the results.
Issue and Review Document Request
Every audit must contain a document request. The extent that a company can comply with the document request is in itself a sign of the company's ability to implement the AML program's requirements. It is expected that a company will provide the documents needed promptly, in legible condition, and in their entirety. Failure to provide certain documents causes an adverse finding.
Conduct Anti-Money Laundering (AML) Risk Assessment
The review must go through a series of risk assessment analytics in order to determine that the company is fulfilling its AML program requirements. These series can be quite extensive, depending on the company's size, complexity, and risk profile.