AML SYSTEMS -- DATA VALIDATION FLORIDA BANKERS ASSOCIATION OCTOBER 2014 Kristen J. Stogniew, Esq., AAP, Shareholder Saltmarsh, Cleaveland & Gund, CPA s 2 I am --- 2 nd generation consultant to the industry >19 years consulting in BSA & Regulatory Compliance including audit, monitoring, training, mentoring Attorney - Florida Bar Member since 1995 Member of CFE since 2003; Accredited ACH Professional I am not --- IT person Regulator Vendor representative Why implement an AML system? 3 OceanSystems ECS Verafin AML Manager? Yellow Hammer BSA 1
Why implement an AML system? 4 Too much information, not enough time to digest Consistent methodology protects institution Retention of review/conclusions (Almost real time) Risk Rating Comparison of Expected vs. Actual activity Regulators require it 5 Regulatory Expectations on AML/MIS systems, since 2005. The Independent Test should address the integrity and accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to: identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports. The programming of the Bank s monitoring systems should be independently reviewed for reasonable filtering criteria. - April 4, 2011 6 The expanding use of models in all aspects of banking reflects the extent to which models can improve business decisions, but models also come with costs. There is the direct cost of devoting resources to develop and implement models properly. There are also the potential indirect costs of relying on models, such as the possible adverse consequences (including financial loss) of decisions based on models that are incorrect or misused. Those consequences should be addressed by active management of model risk. 2
7 Model Risk Processes Conceptual Soundness of model Process Verification / Benchmarking Analyze Model Outcomes 8 Model Risk Processes Prior exams, audits, validations Delegation of responsibilities Risk Assessment/Where does model fit in? Are there risk-appropriate model-related: Policies & procedures Ongoing validation processes Board/ reporting Common Validation Finding: This is not in place. We particularly feel that Board/ reporting (overrides, volume and type of alerts, cases generated) serves as a form of ongoing validation and will help to steer the ship in the right direction... 9 Conceptual Soundness of model Developmental evidence in support of design Came from implementation phase & ongoing validation: Data feeds Tran codes Filters for alerts Points for risk rating Was this carefully considered, using management s judgment, and consistent with sound industry practices? 3
Data feeds. 10 Vendors XYZ Bank AML System OFAC ACH Core Systems Originator Beneficiary SEC code/iat Indicator Trust Loan Deposit Brokerage POD Data and Transaction Terminals Fed file & other Wire System(s) Other Side name & address Other side Bank Payment order details International may be different Teller Proprietary ATMs Foreign ATMs POS checkouts Location Purchaser Monetary Payee instrument Method of payment Common Systems Functionalities... 11 Rule(s), examples: Cash transactions between $7,000 and $10,000 3 or more wire transfers, each less than $3,000, in a week Wire transfer $5,000 or more in, followed by cash out $5,000 or more ACH credit over $8,000 Rules are IF, THEN.. Common Systems Functionalities... 12 Filter(s), apply the rules to Sub-set or Risk Category of accounts Example, Personal accounts Opened less than 3 months Example, Business accounts In high risk industries Newly formed enterprise Beneficial Owners unknown 4
Common Systems Functionalities... 13 Intelligent systems Review activity in context to other data Adaptive based on historical activity Can compare against peer group Behavior-based norms, fuzzy logic Common Systems Functionalities 14 Risk Rating Applies points to customer information Applies points to transaction activity Total score falls within institution-defined tiers of risk Is this the institution s High Risk list? Expected vs. Actual Transactions OFAC/FSE/PEP, etc. 314(a) CTR and/or SAR filing 15 Cont d Conceptual Soundness of model Is coverage and capabilities in line with risk profile, and intended use? Are there any material gaps? High risk transaction types; products; customers; geographies Is data used representative of portfolio/market? Are parameters/risk weights appropriate? Is the system providing value? Common Findings: (1) One or more high risk areas from institution s Risk Assessment is not being analyzed in System; (2) Parameters or Risk Score too high or low for meaningful ID; (3) Vendor-provided risk settings/keywords have not been updated since install; (4) nature of business is scoring so high on risk rating that all high risk business types score high, even if no activity. 5
16 OCC & FRB Supervisory Guidance on Model Risk Conceptual Soundness / Testing Recalculate risk ratings across a wide range of risk factors Conduct sensitivity analysis determine the impact of small changes in assumptions on model output: Unexpectedly large changes in outputs in response to small changes in inputs can indicate an unstable model, while stress testing responses to a wide range of inputs, including extreme changes, can confirm the model s robustness We work with management during the review if possible to test the impact of changes/prove or disprove our assessment of the theory behind the model. Sometimes this cannot be done during the review and a follow-up visit is often recommended. 17 Process Verification / Benchmarking: Are all model components functioning as intended? Test risk based sample of internal and external data feeds for accuracy and integrity of data capture Review user access controls Review model overrides level and documentation (excessive may compromise model integrity) If available, compare inputs and outputs to estimates from alternative internal or external data (benchmark) E.g., Testing Currency Transactions 18 Deposits & Withdrawals DDA CD IRA Savings Money market ATM Internal bank accounts, on customer s behalf Others Less cash / cash back On us non customer Transit check cashed Batched transactions Savings Withdrawal to Close account Loan payment Monetary instrument purchases General Ledger cash ins Loan disbursements Currency exchanges Cash orders 6
Actual Finding on transaction capture: 19 For the days in our sample, the AML system failed to capture the following types of transactions: Miscellaneous cash out; On us non-customer cashed check; Money market withdrawal; Savings withdrawal; and Checking deposit cash in The institution requested the vendor to review the configuration to determine why For the transactions, the cash component was missing in the configuration None of the CTRs thought to have been created and filed during this period were actually sent to FinCEN, as the system s entire filing process was not completed. The BSA Officer can make changes to the parameters without IT or other independent review, and system maintenance reports do not provide a useful audit trail for parameter changes. 20 Analyze Model Outcomes Obtain reportable transactions or high risk accounts from source records and verify whether they alerted as expected (forward-testing), and, conversely, compare alerted activity to source information to verify proper calculations (back-testing). Determine whether alerts and risk changes are being responded to - timely and with adequate documentation. Compare the Bank s customer base of low, moderate, and high risk customers for reasonableness and against the latest risk rating list to identify potential deficiencies. Some Findings on Model Outcome: 21 Foreign wire transfers are not identified and/or scoring properly (some too many, some too few) Accounts rated as Charity, Jewel Dealer, and Non-traditional financial entities are not being assigned added points at account opening DBAs are not being industry-coded Activity subject to review is too short to make a decision; so, it looks like alerts are not being responded timely Deviation thresholds are set so high, suspicious increases are not alerting 7
22 Work with & the Vendor as necessary to form conclusions How settings / filters work in the Bank s environment Are there newer parameters available? Provide Effective Challenge a critical analysis by objective third parties who can identify model limitations and assumptions and produce appropriate changes. Deep thoughts on model validation 23 If you can, run parallel before implementing a new system 3-6 months BSA Officer should be involved/aware of all new products and system updates. What is the impact on filters / parameters? Ongoing validation, management reporting Re-do testing where applicable (significant changes, system upgrades) The volume of system alerts should not be tailored solely to meet existing staff levels Talk with your peers join formal or informal user groups. AML Systems Model Validation 24 Questions / Discussion? Kristen J. Stogniew, 813-287-1111 ext 1030 kristen.stogniew@saltmarshcpa.com www.thebankadvisors.com 8
Questions / Discussion 25 9