Wednesday, June 5, 2013

Anti-Money Laundering Program: Testing

I learned recently some rather extraordinary news: my firm is currently the only mortgage risk management firm in the country offering testing of a Residential Mortgage Lenders and Originator’s (RMLO’s) Anti-Money Laundering Program.* This situation struck me as exceedingly odd, inasmuch as testing is a statutory requirement.
Testing annually is recommended, but not later than every eighteen months. In this first year, most companies are testing prior to the Financial Crimes and Enforcement Network’s (FinCEN’s)statute’s anniversary date in August. An audit of the procedures detailed in an RMLO’s policy and procedures must be conducted either an internal auditor, in accordance with FinCEN guidelines, or, in accordance with FinCEN guidelines, by an independent external auditor.
How is it that we are the first mortgage risk management firm to offer the independent auditing requirement? Maybe, even at this late date, the industry itself is still trying to absorb the AML compliance implementation, while struggling to integrate a multitude of other new regulations.
Many residential mortgage industry participants have run the Elizabeth Kubler Ross spectrum of denial to acceptance at a pace that leaves in its wake the sentiments of high dudgeon, middling dudgeon, intermediate dudgeon, towering dudgeon, lofty dudgeon - and, finally, recognition that the tide of change is actually upon us!
I have tried to make it clear in previous articles, that the AML program is quite different than other policy statements and procedures!

For two of my analyses on this matter, read my articles entitled Anti-Money Laundering Program - Preparation is Protection (8/2012), or Anti-Money Laundering Debuts for Nonbank Mortgage Companies (3/2012).
Over the years, we have conducted AML audits for banks. Now we conduct them for nonbanks and their Suspicious Activity Report (SAR) filing compliance. Soon enough, I expect another cottage industry to arise, chock full of firms that will promote such external auditing, bringing about yet another feeding frenzy!
In this article, I will offer some of the basics to AML testing for RMLOs, so that you have a high-level set of bullets that may offer some insight into the audit process. There are many moving features to such an audit. In constructing your own procedures, be aware that the time to learn about how to properly test and report audit results is most certainly not during an examination.
Elements of Testing
Internal or External Auditing
We recommend that an AML audit for RMLOs should contain, at the least, the following elements:
Entrance Interview
We require an entrance interview for all AML program audits. The meeting is held with company’s officials, compliance personnel, and support staff is conducted to (1) discuss the company’s lender profile, (2) specify procedures to be followed by the company in the course of the engagement, (3) answer any questions regarding the auditor’s evaluation process.
Audit responses to Prior Year Consulting and Regulatory Examination Reports (if applicable) We are in the first year of the AML program. However, each year afterward, the review will ask for the prior year's reports, including any regulatory reports. This part of the review cannot be side-stepped, because it acts as a baseline, further enhanced by an evaluation of corrective action responses. The reviewer's first actions may include back-testing to see if corrective actions were implemented. Any continuation of a compliance failure that previously was subject to corrective action should cause the review to mark down the results.
Issue and Review Document Request
Every audit must contain a document request. The extent that a company can comply with the document request is in itself a sign of the company's ability to implement the AML program's requirements. It is expected that a company will provide the documents needed promptly, in legible condition, and in their entirety. Failure to provide certain documents causes an adverse finding.
Conduct Anti-Money Laundering (AML) Risk Assessment
The review must go through a series of risk assessment analytics in order to determine that the company is fulfilling its AML program requirements. These series can be quite extensive, depending on the company's size, complexity, and risk profile.

There are several areas subject to a comprehensive review which include, but are not limited to the following:
-AML Compliance Program Oversight
-Customer Identification Program Oversight
-Suspicious Activity Reporting (SAR) Policies and Procedures
-Suspicious Activity Monitoring Systems
-Transaction Testing, consisting of a sample of filed Suspicious Activity Reports (SARs) in order to determine completeness.
-Information Sharing Practices under Section 314(a) and 314(b) of the USA PATRIOT Act
-Reporting of Cash Payments Over $10,000 (FinCEN Form 8300) (if applicable)
-Report of Foreign Bank and Financial Accounts (IRS Form TD F 90-22.1) (if applicable)
-Report of International Transportation of Currency or Monetary Instruments (FinCEN Form 105) (if applicable)
In audits for RMLOs, the top six reviews are the key components.
Exit Interview We required an exit interview for all AML program audits. Like the entrance interview, this meeting is held with company’s officials, compliance personnel, and support staff. In this setting, we review and discuss initial results and learn about the RMLO's responses to some of the findings.
Issue an Audit Report containing Findings and Recommendations The Audit Report serves as a basis for the Company to assess the adequacy of policies, procedures, and processes associated with residential mortgage lender and originator lending relationships. The Findings determine whether the Company’s system for monitoring loan accounts for suspicious activities and for reporting of suspicious activities are adequate given the Company’s size, complexity, location, and types of customer relationships. The Recommendations set forth the proposed corrective actions required to comply with FinCEN regulations.
Internal or External Auditing
Most financial firms conduct an independent test annually. A significant management responsibility is to determine who will conduct your test, whether using internal resources or an external auditor. If a company is large enough to have an internal audit department, or an internal auditor who is entirely separate from the BSA Officer, that may be a good choice. The company will likely have to provide training to the internal auditors to make sure they have a working knowledge of BSA, with respect to FinCEN's RMLO filing requirements. In addition, the auditor should have a working knowledge of FinCEN's audit requirements and a familiarity with the company's risk profile. The internal test must meet all the testing criteria and be able to render a comprehensive report to management.
If a company does not have an internal audit department or internal audit resources - or chooses not to use them for this test - it will need to engage an external auditor to conduct the test and provide the spectrum of auditing methodologies and rules.
Law Library Image
Anti-Money Laundering
*Jonathan Foxx is the President & Managing Director of Lenders Compliance Group