There is a natural hierarchy, a structure, to the documents that govern how a financial institution measures, manages and mitigates its compliance risk. At the top of this hierarchy sits the corporate risk tolerance statement, providing a target risk level, net of mitigating controls. The risk tolerance statement informs the relevant corporate level policy, dictating how management allocates that risk position.
For financial crimes compliance, that policy will detail what customer types are and are not acceptable to the institution, what products and services will be offered to customers, and in what geographies the institution will permit activity, either through a direct physical presence, or indirectly by the sources and destinations of customer transactions.
High-level policies will also establish minimum standards for major systems of controls, such as due diligence requirements and internal referrals of unusual or potentially suspicious activity, to ensure institution-wide consistency. Importantly, well thought out policies will also detail escalation procedures for exceptions to policy, as well as penalties for non-compliance or unauthorized risk-taking. Depending on the size and complexity of the financial institution, the corporate policy may be implemented at the operating unit level, with line of business or legal subsidiary specific policy documents or guidelines.
The ultimate level of this hierarchy of governing documents is the operating procedures used by individual employees and officers. Sound procedures will provide ample detail for day to day business activities so that someone could step and perform the task with minimal training and supervision. When internal auditors come in to test the efficacy of controls, they often conduct reperformance tests, following the letter of the procedures. Outdated or incomplete procedures are low hanging fruit for audit and examiner criticism.
In my years of experience as a BSA officer, I have reviewed and approved countless policies, internal guidance documents and procedures at all levels of banking organizations. I have worked closely with internal auditors, compliance testing departments and bank examiners in reaction to testing findings, to provide rationale and comfort for existing documentation and to probe their feedback and expectations to ensure a timely and satisfactory response. I have managed the development and design of new procedures (a global Customer Due Diligence Standard and a new Anti-Bribery/Anti-Corruption Policy) and spearheaded the rollout to multiple lines of business.
I will work with you to provide the guidance and structure to a policy or procedure project. I believe in proactive involvement of all stakeholders, so I will seek out input from the impacted business lines to foster their support and to preemptively identify control or technical gaps that will impact the timeline to full implementation. For procedures, I will work side-by-side with front line employees, shadowing their activities and probing the How’s and Why’s of what they do, as well as the What’s and When’s. The final result will be set of policy and/or procedure documents with robust supporting detail of the decision making and spot testing of accuracy and completeness.