THE ANTI-MONEY LAUNDERING ASSOCIATION AML SYSTEMS -- DATA VALIDATION OCTOBER 20, 2011 Kristen J. Stogniew, Shareholder Saltmarsh, Cleaveland & Gund

I am ---  16 years BSA & Regulatory Compliance consulting, including audit, monitoring, training  Attorney - Florida Bar Member since 1995  Accredited ACH Professional  A deep thinker… I am not ---  IT person  Regulator  Vendor representative 2

Agenda  Purpose of AML system  Examiner expectations  Improve your chances of passing data validation testing  Methodology for testing Determine what is brought in Determine how it is being used Test Input/Output 3

Why implement an AML system ? 4

Regulatory Expectations on AML/MIS systems, since 2005…. FFIEC Exam Manual: Independent Testing  The Independent Test should address…the integrity and accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to: identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.  The programming of the Bank’s monitoring systems should be independently reviewed for reasonable filtering criteria.  Determine whether the system filtering criteria are reasonable and include, at a minimum, cash, monetary instruments, funds transfers, and other higher risk products, services, customers, or geographies, as appropriate. 5

Implementation Phase  Vital to success  Takes extensive time  Basis for data validation down the road  Map out where data is coming in…. “data feed” 6

Data feeds…. ACH Originator Beneficiary SEC code/IAT Indicator Core Systems Trust Loan Deposit Brokerage POD Fed file & other Wire System(s) “Other Side” name & address “Other side” Bank Payment order details International may be different Terminals Teller Proprietary ATMs Foreign ATMs POS checkouts Location Monetary instrument Purchaser Payee Method of payment Vendors OFAC XYZ AML System 7

Types of Currency Transactions… DDA CD IRA Savings Money market ATM Internal bank accounts, on customer’s behalf Deposits & Withdrawals Less cash / cash back On us non customer Transit check cashed Batched transactions Savings Withdrawal to Close account Loan payment Monetary instrument purchases General Ledger cash ins Loan disbursements Currency exchanges Cash orders Others 8

Implementation Phase, cont’d  What Transaction codes are being used? (are they being used correctly & consistently?). Example:  General debit or credit, or  Incoming domestic wire; Outgoing domestic wire; Incoming foreign wire; Outgoing foreign wire  Monetary Instrument sales – can implement unique code  ATM systems cannot always tell if cash or check deposit; can implement mitigating process… 9

 Select your customer sample for CIP/CDD  Select your transaction sample  Pull report that meets your sample criteria and check off against both lists; and  Pull customer report(s) and verify transaction appears, with all ancillary data.  Document, Document, Document Readiness Phase  Test, Test, Test  New account reports and any forms  Branch cash tickets/teller boards/night deposit logs  Wire transfers excel logs, or correspondent bank reports  Branch monetary instrument sales logs 10

During recent Independent Test… 11

Deeper thoughts on implementation…  Run parallel for a while…3-6 months  Join your system’s user group 12

Why Automated Solution for Monitoring ? 13

Regulatory Expectations, since 2005  FFIEC Exam Manual, Suspicious Activity Reporting - Overview “Management should periodically evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process. Each bank should evaluate and identify filtering criteria most appropriate for their institution.” 14

Surveillance Monitoring Parameters  Initial Rule(s), examples:  Cash transactions between $7,000 and $10,000  3 or more wire transfers of less than $3,000 in a week  Wire transfer $5,000 or more in, followed by cash out $5,000 or more 15

Surveillance Monitoring Parameters  Filter(s), apply the rules to….  Subset or risk category of accounts Example, Personal accounts… Opened less than 3 months Example, Business accounts In high risk industries 16

Surveillance Monitoring Parameters  Intelligent systems  Review activity in context to other data  Adaptive based on historical activity  Can compare against peer group  “Behavior” norms 17

Regulatory Guidance – institution awareness  Management should document or be able to explain filtering criteria, thresholds used, and how both are appropriate for the institution’s risks. Recent test comments: “The BSA Officer was not aware of the AML system’s parameters that triggered the alert reports, and was not able to identify the triggers after researching the system during our review.” 18

Regulatory Guidance - setup  System filtering criteria should be developed through a review of specific higher-risk products and services, customers and entities, and geographies.  What customers, products and services are included within the surveillance monitoring system? Recent test comments: “Accounts rated as Charity, Jewel Dealer, and Non- traditional financial entities are not being assigned added points at account opening.” “DBAs are not being industry-coded.” 19

Regulatory Guidance - baseline  System filtering criteria, including specific profiles and rules, should be based on what is reasonable and expected for each type of account.  Monitoring accounts purely based on historical activity can be misleading if the activity is not actually consistent with similar types of accounts.  What is the system’s methodology for establishing and applying expected activity or profile filtering criteria and for generating monitoring reports? Recent test comment: “Customer Due Diligence data obtained at account opening is not being input to the AML system.” 20

Testing Transaction and Rules Sample screen shot where you can trace your sampled transaction into the system. Small box shows the transaction types (data feeds). 21

Vendor supplied Surveillance Parameters Institution created Constant Evaluation - Change Control Processes 22

Deeper thoughts on change control…  The volume of system alerts should not be tailored solely to meet existing staff levels.  System changes should be performed independently, and documented with:  purpose for the change,  evaluation afterwards, and  process to “un-do” if need be  BSA Officer should be involved/aware of all system updates. What is the impact on our filters/parameters?  Re-do testing where applicable! 23

Regulatory guidance on change control…  The authority to establish or change expected activity profiles should be clearly defined and should generally require the approval of the BSA Officer or senior management  Do controls limit access to the monitoring system and are there sufficient oversight of assumption changes? Recent test comment: “The BSA Officer can make changes to the parameters without IT or other independent review, and system maintenance reports do not provide a useful audit trail for parameter changes.” 24

Who uses AML system for Risk Rating?  Actual “high risk list” or something else?  Data validation can compare to Board and other reports of “high risk” customers …  Take transaction tests (performed earlier) and verify that “points” were properly assessed (or, transaction was appropriately identified by the filter).  Sample customers identified as high risk and validate appropriate. 25

Who uses AML system for recordkeeping?  Test recordkeeping and reporting for: Funds Transfers $3,000 or more Cash sales of Monetary Instruments $3,000 or more Customer Identification (CIP) Customer Due Diligence – Establish the risk level at account opening CTRs SARs Recent exam comment: “None of the CTRs thought to have been created and filed during this period were actually sent to FinCEN, as the system’s entire filing process was not ‘completed’.” 26

Who uses system for OFAC/314(a)?  Office of Foreign Asset Control  Test -- Date of list update(s)  Test -- Transactions searched  Test – name on list  USA PATRIOT Act 314(a)  Test -- records maintained  Test -- kept secure SAMPLE: Audit reports are available under Alerts – Watch List - Reports. Quick Search Log – provides a log of front line or teller searches against installed lists Watch List Analysis Audit Log – provides an audit trail of scans and list updates 314(a) Audit Log – provides a log of 314(a) files and any matches IAT Audit Log – provides a log of IAT import and any matches The “Installed List” panel on the dashboard also gives a snapshot of the lists the institution is using as well as when they were last updated. 27

Final deep thoughts…..  Each System is different  Read SAS 70 – SSAE 16 reports  Create test environment  Built in data validations & audit reports  Missing data reports  Daily # of new accounts brought in  Daily $ of transactions 28

Questions / Discussion ? 29