Regulatory Compliance Outlook - Anti-Money Laundering Program: Mandatory Testing
I learned recently some rather extraordinary news: my firm is currently the only mortgage risk management firm in the country offering testing of the Anti-Money Laundering Program (AML) of Residential Mortgage Lenders and Originators (RMLOs). This situation struck me as exceedingly odd, inasmuch as testing is a statutory requirement. Testing annually is recommended, but not later than every eighteen months. In this first year, most companies are testing prior to the Financial Crimes and Enforcement Network’s (FinCEN’s) statute’s anniversary date of Aug. 13, 2013. An audit of the procedures detailed in a RMLO’s policy and procedures must be conducted either by an internal auditor, in accordance with FinCEN guidelines, or, in accordance with FinCEN guidelines, by an independent external auditor. So how is it that my firm is the first mortgage risk management firm to offer the independent testing requirement? Maybe, even at this late date, the industry itself is still trying to absorb the AML compliance implementation, while struggling to integrate a multitude of other new regulations. Many residential mortgage industry participants have run the Elizabeth Kübler Ross spectrum of denial to acceptance at a pace that leaves in its wake the sentiments of high dudgeon, middling dudgeon, intermediate dudgeon, towering dudgeon, lofty dudgeon - and, finally, recognition that the tide of change is actually upon us and we must act! I have tried to make it clear in previous articles, that the AML program is quite different than other policy statements and procedures. And it is mandatory! For but two of my many analyses on this matter, read my articles entitled “Anti-Money Laundering Debuts for Non-Banks” in the March 2012 issue of National Mortgage Professional Magazine on page 40 and “Anti-Money Laundering Program: Preparation is Protection” in the August 2012 issue of National Mortgage Professional Magazine on page 22. Over the years, we have conducted AML audits for banks. Now, we conduct them for non-banks and their Suspicious Activity Report (SAR) filing compliance. Soon enough, I expect another cottage industry to arise, chock full of firms that will promote such external auditing, bringing about yet another feeding frenzy! In this article, I will offer some of the basics to AML testing for RMLOs, so that you have a high-level set of considerations that may offer some insight into the testing process. There are many moving features to such an audit. In constructing your own procedures, be aware that the time to learn about how to properly test and report audit results is most certainly not during an examination. Elements of testing Let’s consider what my firm does when we conduct an AML test. Entrance interview We require an entrance interview for all AML program audits. The meeting is held with company officials, compliance personnel, and support staff to (1) discuss the company’s profile, (2) specify procedures to be followed by the company in the course of the engagement, and (3) answer any questions regarding the auditor’s evaluation process. Audit responses to prior year consulting and regulatory examination reports We are in the first year of the AML program. However, each year afterward, the reviewer will ask for the prior year's reports, including any regulatory reports. This part of the review cannot be side-stepped, because it acts as a baseline, further enhanced by an evaluation of corrective action responses. The reviewer's first actions may include back-testing to see if corrective actions were implemented. Any continuation of a compliance failure that previously was subject to corrective action should cause the reviewer to mark down the results. Issue and review document request Every audit must contain a document request. The extent that a company can comply with the document request is in itself a sign of the company's ability to implement the AML program's requirements. It is expected that a company will provide the documents needed promptly, in legible condition, and in their entirety. Failure to provide certain documents causes an adverse finding. Conduct anti-money laundering risk assessment The reviewer must go through a series of risk assessment analytics in order to determine that the company is fulfilling its AML program requirements. These series can be quite extensive, depending on the company's size, complexity, and risk profile. Review There are several areas subject to a comprehensive review which include, but are not limited to the following: ►AML Compliance Program Oversight ►Customer Identification Program Oversight ►Suspicious Activity Reporting (SAR) Policies and Procedures ►Suspicious Activity Monitoring Systems ►Transaction Testing, consisting of a sample of filed Suspicious Activity Reports (SARs) in order to determine completeness. ►Information Sharing Practices under Section 314(a) and 314(b) of the USA PATRIOT Act ►Reporting of Cash Payments Over $10,000 (FinCEN Form 8300) (if applicable) ►Report of Foreign Bank and Financial Accounts (IRS Form TD F 90-22.1) (if applicable) ►Report of International Transportation of Currency or Monetary Instruments (FinCEN Form 105) (if applicable) In audits for RMLOs, the top six review categories are the key components. Exit interview We require an exit interview for all AML program audits. Like the entrance interview, this meeting is held with company officials, compliance personnel, and support staff. In this setting, we review and discuss initial results and learn about the RMLO's responses to some of the findings. Issue an audit report containing findings and recommendations The Audit Report serves as a basis for the company to assess the adequacy of policies, procedures, and processes associated with RMLO lending relationships. The findings or defects determine whether the company’s process for monitoring loan accounts for suspicious activities, and for reporting of suspicious activities, are adequate given the company’s size, complexity, location, and types of customer relationships. The Audit Report should also contain recommendations and also set forth proposals for corrective actions to comply with FinCEN regulations. Internal or external auditing Most financial firms conduct an independent test annually. A significant management responsibility is to determine who will conduct the test, whether using internal resources or an external auditor. If a company is large enough to have an internal audit department or an internal auditor who is entirely separate from the BSA Officer and the compliance function itself, that may be a good choice. The company will likely have to provide training to the internal auditors to make sure they have a working knowledge of BSA, with respect to FinCEN's RMLO filing requirements. In addition, the auditor should have a working knowledge of FinCEN's audit requirements and a familiarity with the company's risk profile. The internal test must meet all the testing criteria and be able to render a comprehensive report to management. If a company does not have an internal audit department or internal audit resources—or chooses not to use them for the AML test—it will need to engage an independent external auditor to conduct the test and provide the spectrum of auditing methodologies, rules and results. Jonathan Foxx is president and managing director of Lenders Compliance Group and Brokers Compliance Group, mortgage risk management firms devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456, by e-mail at [email protected], or visit www.LendersComplianceGroup.com or www:BrokersComplianceGroup.com.