There are a number of possible triggers for a broad assessment of the appropriateness and completeness of a financial crimes compliance program. For the last several years, independent program reviews have been prominent features of a string of public enforcement actions. Sometimes, a less than satisfactory audit or testing outcome in one area may spark a desire to step back and reassess the overall compliance program. This is important given the interconnectedness of the program components: customer onboarding and due diligence as a data feed transaction monitoring and sanctions screening and all three inform the risk assessment.
The independence of the program review is crucial to the success of the process (and its acceptability to bank regulators). An independent reviewer brings no history, no biases –no “But that’s the way we’ve always done it”– to the assessment. In their day to day activity and familiarity with the program and processes, compliance staff take for granted the minor cutting of corners and compromises that were made in the development of the current program. An independent reviewer will come in and take the program at face value, will point out the good, the bad and the ugly, and will force past the status quo into a fresh round of analysis and decision making in response to the review findings and recommendations.
In my years of experience, both as an examiner and as a compliance officer, I have led or participated in several program reviews. Using the FFIEC BSA/AML Examination Manual as my foundation, supplemented as necessary from information gleaned from enforcement actions, I will structure and conduct a program review – the whole institution or for a line of business. The review will include a careful reading of policies and procedures, reviews of recent control testing and management’s responses, interviews with business line, compliance and IT management, direct observation of day to day processes, reviews of systems design documents including data feeds between systems, control testing through sampling of the various control functions. I will provide feedback often as I progress (No surprises). The deliverable will be a program review report providing detailed assessment of all the program components. I believe strong practices should be highlighted as well as the gaps identified. The results will be scored for prioritization – Immediate Action Required through Nice to Have – with recommendations on how to close the gaps. I can work with you translate the findings into an action plan with aggressive but reasonable timeframes for completion.