I was wondering how many of you outsource your system validation or does anyone use your internal auditors.

I serve as Risk-BSA/Compliance/Internal Audit so our external BSA compliance auditors perform a validation/testing on our Core system for BSA purposes. We're looking at a few BSA monitoring/reporting vendors but haven't made a choice yet, so I'm no help there.

Please clarify what you mean by system validation since there is a model (rules or alerts) validation, validation that the system works as designed, reconcilliation of data feeds from the core-system, etc. and each could be done by a different individual, department, or outside vendor.

We perform ours in house using the appropriate OCC Bulletin.

IF you're looking to determine whether you should outsource or use Audit, my recommendation would be to hire a firm. BSA/AML system validation requires a level of expertise that your internal auditors likely do not have. Reconciling the core to the AML system and the AML system to the batch filing output is pretty straightforward; but it takes a specialist to identify gaps, confirm models operate as intended, assess the appropriateness of the alert thresholds, and evaluate the overall effectiveness of your suspicious activity detection models, enhanced due diligence identification models, and AML model governance program.

Personally, I advocate a two-prong approach, where BSA/AML employees perform self-testing and also hire a firm to perform an independent periodic system validation.

This is exactly what the OCC told me they expected a couple of months ago during our S&S exam.

I'm not one of them!!!

Having spent a decade in the trenches as an AML investigator and BSA Officer, I've found trustworthy information to be one of the most important aspects of any program.

I often tell my fellow local BSA Officer friends, if you aren't reconciling data per mapping on a daily basis, you aren't doing it right. I often get the "we don't have the resources" response - to which I say bulls***. If your system doesn't do it already (I believe Verafin does), then make your IT team build a process to run totals on extracts per mapping and totals in transactions BINs on the AML system right after the load happens. Many folks might be surprised how often any given system gets it wrong for some unexpected and unpredictable reason...